From 7a29d85d80803dd80484c3de02c3ab07004be0a5d169238e4f55a34454cdd0c3 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Mon, 22 Dec 2014 12:55:06 +0000 Subject: [PATCH] Accepting request 266140 from home:cbosdonnat:branches:security:apparmor - Fix dnsmasq profile to allow executing bash to run the --dhcp-script argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt leasehealper script to run even on x86_64. dnsmasq-profile-fixes.patch. boo#911001 OBS-URL: https://build.opensuse.org/request/show/266140 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=114 --- apparmor.changes | 8 ++++++++ apparmor.spec | 4 ++++ dnsmasq-profile-fixes.patch | 22 ++++++++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 dnsmasq-profile-fixes.patch diff --git a/apparmor.changes b/apparmor.changes index da06493..7756345 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Dec 22 10:26:15 UTC 2014 - cbosdonnat@suse.com + +- Fix dnsmasq profile to allow executing bash to run the --dhcp-script + argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt + leasehealper script to run even on x86_64. + dnsmasq-profile-fixes.patch. boo#911001 + ------------------------------------------------------------------- Sun Dec 21 16:22:27 UTC 2014 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index d6a934d..6f75807 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -95,6 +95,9 @@ Patch6: apparmor-abstractions-no-multiline.diff # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch +# boo#911001 - Allow executing --dhcp-client script +Patch8: dnsmasq-profile-fixes.patch + Url: https://launchpad.net/apparmor PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -434,6 +437,7 @@ SubDomain. %patch6 %patch7 -p1 +%patch8 -p1 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" diff --git a/dnsmasq-profile-fixes.patch b/dnsmasq-profile-fixes.patch new file mode 100644 index 0000000..2ada5ba --- /dev/null +++ b/dnsmasq-profile-fixes.patch @@ -0,0 +1,22 @@ +Index: apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq +=================================================================== +--- apparmor-2.9.0.orig/profiles/apparmor.d/usr.sbin.dnsmasq ++++ apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq +@@ -44,6 +44,8 @@ + + /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage + ++ /bin/bash ix, # Required to execute --dhcp-script argument ++ + # access to iface mtu needed for Router Advertisement messages in IPv6 + # Neighbor Discovery protocol (RFC 2461) + @{PROC}/sys/net/ipv6/conf/*/mtu r, +@@ -63,7 +65,7 @@ + /{,var/}run/libvirt/network/*.pid rw, + + # libvirt lease helper +- /usr/lib/libvirt/libvirt_leaseshelper ix, ++ /usr/{lib,lib64}/libvirt/libvirt_leaseshelper ix, + /{,var/}run/leaseshelper.pid rwk, + + # NetworkManager integration