- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/.

This is part of the root partition (at least with default partitioning) and should be available earlier than /var/cache/apparmor/ (boo#1015249, boo#980081, bsc#1016259) - add dependency on var-lib.mount to apparmor.service as safety net OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=163
2017-01-24 14:23:09 +00:00 · 2017-01-24 14:23:09 +00:00 · 99869c0576
commit 99869c0576
parent 1a27f96919
3 changed files with 13 additions and 7 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,11 +1,11 @@
 -------------------------------------------------------------------
-Wed Jan 11 10:54:10 UTC 2017 - suse-beta@cboltz.de
+Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de

- delete /etc/apparmor.d/cache symlink. apparmor_parser will re-create
-  it as real directory. This is needed to avoid problems on boot if
-  /var/ is mounted too late (boo#1015249, boo#980081, bsc#1016259)
-  (Note: I'm not packaging /etc/apparmor.d/cache/ as directory to avoid
-  RPM update problems with the symlink -> directory change.)
+- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/.
+  This is part of the root partition (at least with default partitioning)
+  and should be available earlier than /var/cache/apparmor/
+  (boo#1015249, boo#980081, bsc#1016259)
+- add dependency on var-lib.mount to apparmor.service as safety net

 -------------------------------------------------------------------
 Tue Jan 10 22:15:56 UTC 2017 - suse-beta@cboltz.de
--- a/apparmor.service
+++ b/apparmor.service
@ -3,6 +3,7 @@ Description=Load AppArmor profiles
 DefaultDependencies=no
 Before=sysinit.target
 After=systemd-journald-audit.socket
+After=var-lib.mount
 ConditionSecurity=apparmor

 [Service]
@ -13,4 +14,4 @@ ExecStop=/etc/init.d/boot.apparmor stop
 RemainAfterExit=yes

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/apparmor.spec
+++ b/apparmor.spec
@ -559,6 +559,10 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
 %makeinstall -C profiles

 %makeinstall -C parser
+# default cache dir is /etc/apparmor.d/cache - not the best location.
+# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
+mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
+( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )

 %if %{with apache}
  %makeinstall -C changehat/mod_apparmor
@ -628,6 +632,7 @@ echo -------------------------------------------------------------------
 /sbin/apparmor_parser
 %dir %attr(-, root, root) %{_sysconfdir}/apparmor
 %dir %{_sysconfdir}/apparmor.d
+%{_sysconfdir}/apparmor.d/cache
 %if %{distro} == "suse"
  /sbin/rcsubdomain
  /sbin/rcapparmor