Accepting request 831960 from home:jfehlig:branches:security:apparmor

This needs to go upstream but hoping someone here more familiar with apparmor and its dev processes can do that. If not please let me know and I can give it a stab. - libvirt-leaseshelper.patch: add /usr/libexec as a path to the libvirt leaseshelper script (jsc#SLE-14253) OBS-URL: https://build.opensuse.org/request/show/831960 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=272
2020-09-06 10:18:31 +00:00 · 2020-09-06 10:18:31 +00:00 · 98bfbb94e5
commit 98bfbb94e5
parent a56c5e56bc
3 changed files with 42 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep  3 19:40:32 UTC 2020 - James Fehlig <jfehlig@suse.com>
+
+- libvirt-leaseshelper.patch: add /usr/libexec as a path to the
+  libvirt leaseshelper script (jsc#SLE-14253)
+
 -------------------------------------------------------------------
 Fri Aug  7 21:01:02 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -77,6 +77,10 @@ Patch11:        abstractions-X-xauth-mr582.diff
 # add CAP_BPF and CAP_PERFMON to severity.db (merged upstream 2020-08-07 https://gitlab.com/apparmor/apparmor/-/merge_requests/589 (2.11..master))
 Patch12:        sevdb-caps-mr589.diff

+# add /usr/libexec as a path for libvirt_leaseshelper script, jsc#SLE-14253
+# needs to go upstream
+Patch13:        libvirt-leaseshelper.patch
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@ -374,6 +378,7 @@ SubDomain.

 %patch11 -p1
 %patch12 -p1
+%patch13 -p1

 %build
 %define _lto_cflags %{nil}
--- a/libvirt-leaseshelper.patch
+++ b/libvirt-leaseshelper.patch
@ -0,0 +1,31 @@
+profiles: Add /usr/libexec as a path to the libvirt leaseshelper script
+
+openSUSE recently joined most distros in defining libexecdir as /usr/libexec.
+The SUSE libvirt package, which for a long time has set libexecdir to
+/usr/lib64/libvirt, needs to adopt. Jira SLE-14253 requests libvirt to use
+/usr/libexec. libvirt 6.7.0 will be hitting Factory soon with libexecdir
+set to /usr/libexec. Add it as a path for the libvirt_leaseshelper script.
+
+Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+Index: apparmor-2.13.4/profiles/apparmor.d/usr.sbin.dnsmasq
+===================================================================
+--- apparmor-2.13.4.orig/profiles/apparmor.d/usr.sbin.dnsmasq
+++ apparmor-2.13.4/profiles/apparmor.d/usr.sbin.dnsmasq
+@@ -88,7 +88,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin
+   /{,var/}run/libvirt/network/*.pid rw,
+ 
+   # libvirt lease helper
+-  /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+  /usr/{lib/libvirt,lib64/libvirt,libexec}/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+ 
+   # lxc-net pid and lease files
+   /{,var/}run/lxc/dnsmasq.pid    rw,
+@@ -115,7 +115,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin
+ 
+     /etc/libnl-3/classid r,
+ 
+-    /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
+    /usr/{lib/libvirt,lib64/libvirt,libexec}/libvirt_leaseshelper m,
+ 
+     owner @{PROC}/@{pid}/net/psched r,
+     owner @{PROC}/@{pid}/status r,