Accepting request 605723 from security:apparmor

- add fix-samba-profiles.patch - smbd loads new shared libraries. Allow winbindd to access new kerberos credential cache location (boo#1092099) (forwarded request 605463 from scabrero) OBS-URL: https://build.opensuse.org/request/show/605723 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=117
2018-05-13 13:53:56 +00:00 · 2018-05-13 13:53:56 +00:00 · ac076e38ff
commit ac076e38ff
parent 833755e1f3 77fc31b80c
3 changed files with 36 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue May  8 15:37:32 UTC 2018 - scabrero@suse.de
+
+- add fix-samba-profiles.patch - smbd loads new shared libraries.
+  Allow winbindd to access new kerberos credential cache location
+  (boo#1092099)
+
 -------------------------------------------------------------------
 Sun Apr 29 22:24:33 UTC 2018 - suse-beta@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -71,6 +71,9 @@ Patch9:         fix-apparmor-systemd-perms.diff
 # exclude the /etc/apparmor.d/cache.d directory from aa-logprof parsing
 Patch10:        logprof-skip-cache-d.diff

+# bug 1092099 - Allow smbd to load new shared libraries. Allow Winbindd to read and write new kerberos cache location
+Patch11:        fix-samba-profiles.patch
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@ -361,6 +364,7 @@ SubDomain.
 %patch8
 %patch9 -p1
 %patch10
+%patch11 -p1

 %build
 export SUSE_ASNEEDED=0
--- a/fix-samba-profiles.patch
+++ b/fix-samba-profiles.patch
@ -0,0 +1,25 @@
+diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd
+index 8f54e9c0..cbd03bad 100644
+--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
+@@ -32,6 +32,8 @@
+   /usr/lib*/samba/charset/*.so mr,
+   /usr/lib*/samba/auth/script.so mr,
+   /usr/lib*/samba/pdb/*.so mr,
+  /usr/lib*/samba/auth/*.so mr,
+  /usr/lib*/samba/gensec/*.so mr,
+   /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
+   /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
+   /usr/lib/@{multiarch}/samba/**/ r,
+diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd
+index f5f8cc08..5a906c0e 100644
+--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
+@@ -20,6 +20,7 @@
+   @{PROC}/sys/kernel/core_pattern r,
+   /tmp/.winbindd/ w,
+   /tmp/krb5cc_* rwk,
+  /run/user/*/krb5cc/* rwk,
+   /usr/lib*/samba/gensec/krb*.so mr,
+   /usr/lib*/samba/idmap/*.so mr,
+   /usr/lib*/samba/nss_info/*.so mr,