Accepting request 733858 from security:apparmor

- add abstractions-ssl-certbot-paths.diff - add certbot paths to abstractions/ssl_certs and abstractions/ssl_keys - add apparmor-krb5-conf-d.diff for kerberos client OBS-URL: https://build.opensuse.org/request/show/733858 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=130
2019-10-07 11:36:55 +00:00 · 2019-10-07 11:36:55 +00:00 · 8d5c8d0986
commit 8d5c8d0986
parent 905c5d44d8 433977903f
4 changed files with 85 additions and 0 deletions
--- a/abstractions-ssl-certbot-paths.diff
+++ b/abstractions-ssl-certbot-paths.diff
@ -0,0 +1,38 @@
+commit b5772e29efbc3c2325b4a2ba312bb4cf0c78f181
+Author: Christian Boltz <gitlab2@cboltz.de>
+Date:   Sun Jun 30 07:14:42 2019 +0000
+
+    Merge branch 'cboltz-2.13-certbot' into 'apparmor-2.13'
+    
+    [2.10..2.13] Add for Certbot on openSUSE Leap
+    
+    See merge request apparmor/apparmor!398
+    
+    Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13
+    
+    (cherry picked from commit 14a11e67a5b8e06a5ba5080d9824df8010e28552)
+    
+    8b766451 Add for Certbot on openSUSE Leap
+
+diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs
+index b5382ec9..789efc58 100644
+--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
+@@ -38,3 +38,7 @@
+   /etc/letsencrypt/archive/*/cert*.pem r,
+   /etc/letsencrypt/archive/*/chain*.pem r,
+   /etc/letsencrypt/archive/*/fullchain*.pem r,
+
+  /etc/certbot/archive/*/cert*.pem r,
+  /etc/certbot/archive/*/chain*.pem r,
+  /etc/certbot/archive/*/fullchain*.pem r,
+diff --git a/profiles/apparmor.d/abstractions/ssl_keys b/profiles/apparmor.d/abstractions/ssl_keys
+index 84f5c503..2de760b5 100644
+--- a/profiles/apparmor.d/abstractions/ssl_keys
+++ b/profiles/apparmor.d/abstractions/ssl_keys
+@@ -26,3 +26,5 @@
+ 
+   # certbot / letsencrypt
+   /etc/letsencrypt/archive/*/privkey*.pem r,
+
+  /etc/certbot/archive/*/privkey*.pem r,
--- a/apparmor-krb5-conf-d.diff
+++ b/apparmor-krb5-conf-d.diff
@ -0,0 +1,28 @@
+From 1e37af227ec977efe1a6b6454f5a801c4c04e886 Mon Sep 17 00:00:00 2001
+From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+Date: Fri, 27 Sep 2019 18:34:20 -0300
+Subject: [PATCH] abstractions/kerberosclient: allow /etc/krb5.conf.d
+
+Permit the use of /etc/krb5.conf.d configuration snippets
+
+Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+---
+ profiles/apparmor.d/abstractions/kerberosclient | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/profiles/apparmor.d/abstractions/kerberosclient b/profiles/apparmor.d/abstractions/kerberosclient
+index 8b08c146..7cb1f9e0 100644
+--- a/profiles/apparmor.d/abstractions/kerberosclient
+++ b/profiles/apparmor.d/abstractions/kerberosclient
+@@ -22,6 +22,8 @@
+ 
+   /etc/krb5.keytab            rk,
+   /etc/krb5.conf              r,
+  /etc/krb5.conf.d/           r,
+  /etc/krb5.conf.d/*          r,
+ 
+   # config files found via strings on libs
+   /etc/krb.conf               r,
+-- 
+2.23.0
+
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Sat Sep 28 15:20:10 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
+
+- add abstractions-ssl-certbot-paths.diff - add certbot paths to
+  abstractions/ssl_certs and abstractions/ssl_keys
+
+-------------------------------------------------------------------
+Fri Sep 27 21:43:55 UTC 2019 - Luiz Angelo Daros de Luca <luizluca@tre-sc.jus.br>
+
+- add apparmor-krb5-conf-d.diff for kerberos client
+
 -------------------------------------------------------------------
 Tue Jun 18 20:51:07 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -65,6 +65,12 @@ Patch4:         apparmor-lessopen-profile.patch
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch5:         apparmor-lessopen-nfs-workaround.diff

+# allow /etc/krb5.conf.d/ for kerberos client (submitted upstream 2019-09-28 https://gitlab.com/apparmor/apparmor/merge_requests/425)
+Patch6:         apparmor-krb5-conf-d.diff
+
+# add certbot paths to abstractions/ssl_keys and abstractions/ssl_certs (from upstream https://gitlab.com/apparmor/apparmor/merge_requests/398, merged 2019-06-30)
+Patch7:         abstractions-ssl-certbot-paths.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@ -353,6 +359,8 @@ SubDomain.
 %patch3 -p1
 %patch4
 %patch5
+%patch6 -p1
+%patch7 -p1

 %build
 %define _lto_cflags %{nil}