Accepting request 480782 from home:kukuk:branches:security:apparmor

- Cleanup spec file: - don't use insserv if we afterwards call systemd, this can have bad side effects - remove dead code - remove now obsolete 'distro' checks - Replace init.d script with new wrapper working with systemd OBS-URL: https://build.opensuse.org/request/show/480782 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=172
2017-03-19 19:14:12 +00:00 · 2017-03-19 19:14:12 +00:00 · bba6e7bef6
commit bba6e7bef6
parent b8cc801318
4 changed files with 112 additions and 107 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,13 @@
 -------------------------------------------------------------------
 Thu Mar 16 20:13:00 UTC 2017 - kukuk@suse.com
 - Cleanup spec file:
  - don't use insserv if we afterwards call systemd, this can
    have bad side effects
  - remove dead code
  - remove now obsolete 'distro' checks
 - Replace init.d script with new wrapper working with systemd
 -------------------------------------------------------------------
 Thu Feb 16 14:08:55 UTC 2017 - jmatejek@suse.com
--- a/apparmor.service
+++ b/apparmor.service
@ -8,9 +8,9 @@ ConditionSecurity=apparmor
 [Service]
 Type=oneshot
-ExecStart=/etc/init.d/boot.apparmor start
+ExecStart=/lib/apparmor/apparmor.systemd start
-ExecReload=/etc/init.d/boot.apparmor reload
+ExecReload=/lib/apparmor/apparmor.systemd reload
-ExecStop=/etc/init.d/boot.apparmor stop
+ExecStop=/lib/apparmor/apparmor.systemd stop
 RemainAfterExit=yes
 [Install]
--- a/apparmor.spec
+++ b/apparmor.spec
@ -35,17 +35,6 @@
 %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
 Name:           apparmor
 %if ! %{?distro:1}0
 %if %{?suse_version:1}0
  %define distro suse
 %endif
 %if %{?fedora_version:1}0
  %define distro redhat
 %endif
 %endif
 %if ! %{?distro:1}0
  %define distro suse
 %endif
 Version:        2.11.0
 Release:        0
 Summary:        AppArmor userlevel parser utility
@ -60,6 +49,7 @@ Source5:        update-trans.sh
 Source6:        baselibs.conf
 Source7:        apparmor-rpmlintrc
 Source8:        apparmor.service
 Source9:        apparmor.systemd
 # enable caching of profiles (= massive performance speedup when loading profiles)
 Patch1:         apparmor-enable-profile-cache.diff
@ -90,10 +80,6 @@ Patch10:        python3-drop-re-locale.patch
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if %{distro} == "suse"
 PreReq:         %{insserv_prereq}
 PreReq:         aaa_base
 %endif
 %define apparmor_bin_prefix /lib/apparmor
 BuildRequires:  bison
 BuildRequires:  dejagnu
@ -149,10 +135,6 @@ Provides:       subdomain-parser-common = %{version}
 Provides:       subdomain-parser-demo = %{version}
 Provides:       subdomain_parser = %{version}
 Provides:       apparmor-parser(CAP_SYSLOG)
 # initscript needs /lib/lsb/init-functions from insserv/insserv-compat
 Requires:       insserv
 BuildRequires:  systemd-rpm-macros
 %{?systemd_requires}
@ -561,7 +543,12 @@ done
 # remove *.la files
 rm -fv %{buildroot}%{_libdir}/libapparmor.la
 # Adjust for systemd
 install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
 install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
 rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
 rm %{buildroot}/sbin/rcsubdomain
 ln -sf service %{buildroot}/sbin/rcapparmor
 echo -------------------------------------------------------------------
 #find -ls
@ -588,19 +575,14 @@ echo -------------------------------------------------------------------
 %dir %attr(-, root, root) %{_sysconfdir}/apparmor
 %dir %{_sysconfdir}/apparmor.d
 %{_sysconfdir}/apparmor.d/cache
-%if %{distro} == "suse"
+/sbin/rcapparmor
  /sbin/rcsubdomain
  /sbin/rcapparmor
  %{_sysconfdir}/init.d/boot.apparmor
 %else
  %{_sysconfdir}/init.d/apparmor
 %endif
 %{_unitdir}/apparmor.service
 %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
 %config(noreplace) %{_sysconfdir}/apparmor/parser.conf
 %{_localstatedir}/lib/apparmor
 %dir %attr(-, root, root) %{apparmor_bin_prefix}
 %{apparmor_bin_prefix}/rc.apparmor.functions
 %{apparmor_bin_prefix}/apparmor.systemd
 %doc %{_mandir}/man1/aa-enabled.1.gz
 %doc %{_mandir}/man1/aa-exec.1.gz
 %doc %{_mandir}/man1/exec.1.gz
@ -751,97 +733,25 @@ fi
 %endif
 %post parser
 %if %{distro} == "suse"
  # SUSE uses insserv
  # For package renaming from subdomain -> apparmor
  # we check the existence of the AppArmor 1.1 and
  # AppArmor 1.2 based init script to help determine
  # whether  we are upgrading
  SUBDOMAIN_PARSER_INSTALLED="no"
  if test -e %{_sysconfdir}/init.d/boot.subdomain -o -e %{_sysconfdir}/init.d/subdomain; then
    SUBDOMAIN_PARSER_INSTALLED="yes"
  fi
  if  test "$1" = 1  -a $SUBDOMAIN_PARSER_INSTALLED = "no"; then
    %{insserv_force_if_yast boot.apparmor}
  elif test -e %{_sysconfdir}/rc.d/boot.d/S??boot.subdomain  -o \
            -e %{_sysconfdir}/rc.d/boot.d/S??boot.apparmor  -o \
            -e %{_sysconfdir}/rc.d/rc3.d/S??subdomain ; then
    %{insserv_force_if_yast boot.apparmor}
  else
    %{fillup_and_insserv -f boot.apparmor}
  fi
 %endif
 %if %{distro} == "redhat" || %{distro} == "rhel4"
  chkconfig --add apparmor
 %endif
 %if %{distro} == "slackware"
  if grep -qs "# BEGIN rc.subdomain INSERTION" %{_sysconfdir}/rc.d/rc.M ; then true ; else
    %{apparmor_bin_prefix}/install/frob_slack_rc --init
  fi
  if grep -qs "# BEGIN rc.subdomain INSERTION" %{_sysconfdir}/rc.d/rc.K ; then true ; else
    %{apparmor_bin_prefix}/install/frob_slack_rc --shutdown
  fi
 %endif
 %service_add_post apparmor.service
 %preun parser
 if [ "$1" = 0 ] ; then
 %if %{distro} == "suse"
  %{stop_on_removal boot.apparmor}
 %endif
 %if %{distro} == "redhat" || %{distro} == "rhel4"
  chkconfig --del apparmor
 %endif
 fi
 %service_del_preun apparmor.service
 %postun parser
 %if %{distro} == "suse"
  #restart_on_update boot.apparmor - but non-broken (bnc#853019)
  test -n "$FIRST_ARG" || FIRST_ARG=$1
  if test "$FIRST_ARG" -ge 1 ; then
    if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then
      test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || :
      /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || :
    fi
  fi
  %{insserv_cleanup} || true
 %endif
 # don't call try-restart, see bnc#853019
 export DISABLE_RESTART_ON_UPDATE="yes"
 %service_del_postun apparmor.service
 %post abstractions
-%if %{distro} == "suse"
+#restart_on_update boot.apparmor - but non-broken (bnc#853019)
-  #restart_on_update boot.apparmor - but non-broken (bnc#853019)
+systemctl is-active -q apparmor && /lib/apparmor/apparmor.systemd reload ||:
  # (copy&paste from parser postun script)
  test -n "$FIRST_ARG" || FIRST_ARG=$1
  if test "$FIRST_ARG" -ge 1 ; then
    if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then
      test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || :
      /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || :
    fi
  fi
 %endif
 %post profiles
-%if %{distro} == "suse"
+# workaround for bnc#904620#c8 / lp#1392042
-  # workaround for bnc#904620#c8 / lp#1392042
+rm -f /var/lib/apparmor/cache/* 2>/dev/null
-  rm -f /var/lib/apparmor/cache/* 2>/dev/null
+#restart_on_update boot.apparmor - but non-broken (bnc#853019)
-  #restart_on_update boot.apparmor - but non-broken (bnc#853019)
+systemctl is-active -q apparmor && /lib/apparmor/apparmor.systemd reload ||:
  # (copy&paste from parser postun script)
  test -n "$FIRST_ARG" || FIRST_ARG=$1
  if test "$FIRST_ARG" -ge 1 ; then
    if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then
      test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || :
      /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || :
    fi
  fi
 %endif
 %if %{with tomcat}
--- a/apparmor.systemd
+++ b/apparmor.systemd
@ -0,0 +1,85 @@
 #!/bin/sh
 APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
 aa_action()
 {
    echo $1
    shift
    "$@"
    return $?
 }
 aa_log_warning_msg()
 {
    echo "Warning: $@"
 }
 aa_log_failure_msg()
 {
    echo "Error: $@"
 }
 aa_log_action_start()
 {
    echo "$@"
 }
 aa_log_action_end()
 {
    echo -n
 }
 aa_log_daemon_msg()
 {
    echo "$@"
 }
 aa_log_skipped_msg()
 {
    echo "Skipped: $@"
 }
 aa_log_end_msg()
 {
    echo -n
 }
 # source apparmor function library
 if [ -f "${APPARMOR_FUNCTIONS}" ]; then
 	. ${APPARMOR_FUNCTIONS}
 else
 	aa_log_failure_msg "Unable to find AppArmor initscript functions"
 	exit 1
 fi
 case "$1" in
 	start)
 		apparmor_start
 		rc=$?
 		;;
 	stop)
 		apparmor_stop
 		rc=$?
 		;;
 	restart|reload|force-reload)
 		apparmor_restart
 		rc=$?
 		;;
 	try-restart)
 		apparmor_try_restart
 		rc=$?
 		;;
 	kill)
 		apparmor_kill
 		rc=$?
 		;;
 	status)
 		apparmor_status
 		rc=$?
 		;;
 	*)
 		exit 1
 		;;
 esac
 exit $rc