From 99869c057632111a7a2cfd26a3928236ff358481cdc9b67ebf05c5290c865e0e Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Tue, 24 Jan 2017 14:23:09 +0000 Subject: [PATCH] - change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/. This is part of the root partition (at least with default partitioning) and should be available earlier than /var/cache/apparmor/ (boo#1015249, boo#980081, bsc#1016259) - add dependency on var-lib.mount to apparmor.service as safety net OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=163 --- apparmor.changes | 12 ++++++------ apparmor.service | 3 ++- apparmor.spec | 5 +++++ 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/apparmor.changes b/apparmor.changes index 063313f..65cbd2d 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,11 +1,11 @@ ------------------------------------------------------------------- -Wed Jan 11 10:54:10 UTC 2017 - suse-beta@cboltz.de +Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de -- delete /etc/apparmor.d/cache symlink. apparmor_parser will re-create - it as real directory. This is needed to avoid problems on boot if - /var/ is mounted too late (boo#1015249, boo#980081, bsc#1016259) - (Note: I'm not packaging /etc/apparmor.d/cache/ as directory to avoid - RPM update problems with the symlink -> directory change.) +- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/. + This is part of the root partition (at least with default partitioning) + and should be available earlier than /var/cache/apparmor/ + (boo#1015249, boo#980081, bsc#1016259) +- add dependency on var-lib.mount to apparmor.service as safety net ------------------------------------------------------------------- Tue Jan 10 22:15:56 UTC 2017 - suse-beta@cboltz.de diff --git a/apparmor.service b/apparmor.service index aabe5f0..9972c46 100644 --- a/apparmor.service +++ b/apparmor.service @@ -3,6 +3,7 @@ Description=Load AppArmor profiles DefaultDependencies=no Before=sysinit.target After=systemd-journald-audit.socket +After=var-lib.mount ConditionSecurity=apparmor [Service] @@ -13,4 +14,4 @@ ExecStop=/etc/init.d/boot.apparmor stop RemainAfterExit=yes [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/apparmor.spec b/apparmor.spec index c8c5918..6e54282 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -559,6 +559,10 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor %makeinstall -C profiles %makeinstall -C parser +# default cache dir is /etc/apparmor.d/cache - not the best location. +# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it +mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache +( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache ) %if %{with apache} %makeinstall -C changehat/mod_apparmor @@ -628,6 +632,7 @@ echo ------------------------------------------------------------------- /sbin/apparmor_parser %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d +%{_sysconfdir}/apparmor.d/cache %if %{distro} == "suse" /sbin/rcsubdomain /sbin/rcapparmor