diff --git a/apparmor.changes b/apparmor.changes index 6b8623f..4ca616e 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Apr 29 11:48:14 UTC 2022 - Christian Boltz + +- add php8-fpm-mr876.patch so that php8 php-fpm can read its config + (boo#1186267#c11) +- parser: add conflict with apparmor-utils < 3.0 to avoid aa-status + file conflict on upgrade (boo#1198958) +- utils: add missing dependency on apparmor-parser (boo#1198958#c4) + ------------------------------------------------------------------- Wed Apr 27 10:07:47 UTC 2022 - Dominique Leuenberger @@ -17,7 +26,7 @@ Wed Apr 13 13:38:29 UTC 2022 - Noel Power modify the existing smbd/winbind profiles and additionally add a new set of profiles to cater for the new functionality; (bnc#1198309); - + ------------------------------------------------------------------- Mon Apr 11 14:34:51 UTC 2022 - Noel Power diff --git a/apparmor.spec b/apparmor.spec index c0a0b58..9fc589d 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -77,24 +77,32 @@ Patch5: apparmor-lessopen-nfs-workaround.diff # make include in apache extra profile optional to make openQA happy (boo#1178527) Patch6: apache-extra-profile-include-if-exists.diff + # bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd -# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/860) +# merged upstream 3.0+master 2022-03-14 https://gitlab.com/apparmor/apparmor/-/merge_requests/860 # bsc#1195463 add rule to allow reading of openssl.cnf -# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862) +# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862 Patch7: update-samba-bgqd.diff + # bsc#1195463 add rule to allow reading of openssl.cnf -# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862) +# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862 Patch8: update-usr-sbin-smbd.diff -# add zgrep and xzgrep profile (submitted upstream 2022-04-10 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + 2022-04-16 https://gitlab.com/apparmor/apparmor/-/merge_requests/873) +# add zgrep and xzgrep profile (merged upstream 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + 2022-04-18 https://gitlab.com/apparmor/apparmor/-/merge_requests/873 - master only) Patch9: zgrep-profile-mr870.diff -# squash noisy setsockopt calls https://gitlab.com/apparmor/apparmor/-/merge_requests/867 + +# squash noisy setsockopt calls - merged upstream master+3.0 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/867 # bsc#1196850 Patch10: samba_deny_net_admin.patch + # support for new dcerpcd subsytem in >= samba-4.16 -# https://gitlab.com/apparmor/apparmor/-/merge_requests/871 +# merged upstream 2022-04-15 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/871 # bsc#1198309 Patch11: samba-new-dcerpcd.patch + +# allow php8 php-fpm to read its config (from upstream master+3.0 https://gitlab.com/apparmor/apparmor/-/merge_requests/876) +Patch12: php8-fpm-mr876.patch + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor @@ -135,6 +143,7 @@ BuildRequires: tomcat6 Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later Group: Productivity/Networking/Security +Conflicts: apparmor-utils < 3.0 Obsoletes: libimnxcert < 2.9 Obsoletes: subdomain-leaf-cert < 2.9 Obsoletes: subdomain-parser < 2.9 @@ -281,6 +290,7 @@ SubDomain. Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles License: GPL-2.0-only AND LGPL-2.1-or-later Group: Productivity/Security +Requires: apparmor-parser Requires: libapparmor1 = %{version} Requires: python3-apparmor = %{version} Requires: python3-base @@ -362,6 +372,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 %build %define _lto_cflags %{nil} diff --git a/php8-fpm-mr876.patch b/php8-fpm-mr876.patch new file mode 100644 index 0000000..00e2987 --- /dev/null +++ b/php8-fpm-mr876.patch @@ -0,0 +1,46 @@ +From c946f0bf75f9529014c79ff591d6f953ce56b416 Mon Sep 17 00:00:00 2001 +From: Christian Boltz +Date: Mon, 18 Apr 2022 20:49:22 +0200 +Subject: [PATCH] Allow reading all of /etc/php[578]/** in abstractions/php + +... and with that, make a rule in the php-fpm profile (which missed +php8) superfluous. + +Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229 + +Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11 +--- + profiles/apparmor.d/abstractions/php | 3 +-- + profiles/apparmor.d/php-fpm | 2 -- + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/profiles/apparmor.d/abstractions/php b/profiles/apparmor.d/abstractions/php +index ddafb0770..6bf0dc798 100644 +--- a/profiles/apparmor.d/abstractions/php ++++ b/profiles/apparmor.d/abstractions/php +@@ -13,8 +13,7 @@ + abi , + + # shared snippets for config files +- /etc/php{,5,7,8}/**/ r, +- /etc/php{,5,7,8}/**.ini r, ++ /etc/php{,5,7,8}/** r, + + # Xlibs + /usr/X11R6/lib{,32,64}/lib*.so* mr, +diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm +index b25762c50..14b3c7195 100644 +--- a/profiles/apparmor.d/php-fpm ++++ b/profiles/apparmor.d/php-fpm +@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) { + # read the system certificates + include + +- /etc/php{,5,7}/** r, +- + capability net_admin, + # change user/group of a pool + capability setuid, +-- +GitLab +