Accepting request 81356 from security:apparmor:factory
- install SubDomain.pm compat module (bnc#713408) - Update to 2.6.1. - One patch eliminated - Lots of minor fixes - Split out more common abstractions - Add check_for_apparmor() helper. - dhcpd: Fix apparmor profile (bnc#692428) - Fixed typos in descriptions and summaries of apparmor.spec - move the requires and prerequires to the right package OBS-URL: https://build.opensuse.org/request/show/81356 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=20
This commit is contained in:
parent
01f6bae72d
commit
c36abb7d55
@ -17,7 +17,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|||||||
|
|
||||||
--- a/profiles/apparmor.d/abstractions/nameservice
|
--- a/profiles/apparmor.d/abstractions/nameservice
|
||||||
+++ b/profiles/apparmor.d/abstractions/nameservice
|
+++ b/profiles/apparmor.d/abstractions/nameservice
|
||||||
@@ -70,6 +70,9 @@
|
@@ -72,6 +72,9 @@
|
||||||
# kerberos
|
# kerberos
|
||||||
#include <abstractions/kerberosclient>
|
#include <abstractions/kerberosclient>
|
||||||
|
|
||||||
|
@ -48,7 +48,7 @@
|
|||||||
# db backend
|
# db backend
|
||||||
/var/lib/misc/*.db r,
|
/var/lib/misc/*.db r,
|
||||||
# The Name Service Cache Daemon can cache lookups, sometimes leading
|
# The Name Service Cache Daemon can cache lookups, sometimes leading
|
||||||
@@ -58,6 +53,9 @@
|
@@ -60,6 +55,9 @@
|
||||||
# nis
|
# nis
|
||||||
#include <abstractions/nis>
|
#include <abstractions/nis>
|
||||||
|
|
||||||
|
File diff suppressed because it is too large
Load Diff
34
apparmor-2.6.0-dhcpd
Normal file
34
apparmor-2.6.0-dhcpd
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From: Jeff Mahoney <jeffm@suse.com>
|
||||||
|
Subject: dhcpd: Fix apparmor profile
|
||||||
|
References: bnc#692428
|
||||||
|
|
||||||
|
This patch adds the network rules needed, corrects the path to dhcpd.leases,
|
||||||
|
and adds the path for TSIG DNS keys.
|
||||||
|
|
||||||
|
Reported-by: Andrew Beames <suseforum@roocomputing.co.uk>
|
||||||
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||||
|
---
|
||||||
|
profiles/apparmor/profiles/extras/usr.sbin.dhcpd | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
|
||||||
|
+++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
|
||||||
|
@@ -21,12 +21,17 @@
|
||||||
|
capability setuid,
|
||||||
|
capability sys_chroot,
|
||||||
|
|
||||||
|
+ network inet raw,
|
||||||
|
+ network packet raw,
|
||||||
|
+
|
||||||
|
/db/dhcpd.leases* lrw,
|
||||||
|
/etc/dhcpd.conf r,
|
||||||
|
/etc/hosts.allow r,
|
||||||
|
/etc/hosts.deny r,
|
||||||
|
/usr/sbin/dhcpd rmix,
|
||||||
|
- /var/lib/dhcp/dhcpd.leases* rwl,
|
||||||
|
+ /var/lib/dhcp/db/dhcpd.leases* rwl,
|
||||||
|
/var/lib/dhcp/etc/dhcpd.conf r,
|
||||||
|
/var/run/dhcpd.pid wl,
|
||||||
|
+ /etc/named.d/* r,
|
||||||
|
+ @{PROC}/net/dev r,
|
||||||
|
}
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:b08f90ee4d6774d1fe176adfa5764e3d24a6b1976b249757f25203b52216f857
|
|
||||||
size 1240705
|
|
3
apparmor-2.6.1.tar.bz2
Normal file
3
apparmor-2.6.1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:d8b6d41181354a603bd0e1a79cb0a971339fd3366b12b18da3b648fe259ef915
|
||||||
|
size 1242129
|
23
apparmor-compat-routines
Normal file
23
apparmor-compat-routines
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
From: Jeff Mahoney <jeffm@suse.com>
|
||||||
|
Subject: apparmor-utils: Add check_for_apparmor helper.
|
||||||
|
|
||||||
|
This should be an alias but those get complicated quickly in perl.
|
||||||
|
|
||||||
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||||
|
---
|
||||||
|
utils/Immunix/AppArmor.pm | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
--- a/utils/Immunix/AppArmor.pm
|
||||||
|
+++ b/utils/Immunix/AppArmor.pm
|
||||||
|
@@ -463,6 +463,10 @@ sub check_for_subdomain () {
|
||||||
|
return $sd_mountpoint;
|
||||||
|
}
|
||||||
|
|
||||||
|
+sub check_for_apparmor () {
|
||||||
|
+ return check_for_subdomain();
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
sub which ($) {
|
||||||
|
my $file = shift;
|
||||||
|
|
@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
parser/tst/Makefile | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/parser/tst/Makefile
|
|
||||||
+++ b/parser/tst/Makefile
|
|
||||||
@@ -12,7 +12,7 @@ endif
|
|
||||||
all: tests
|
|
||||||
|
|
||||||
.PHONY: tests error_output gen_xtrans parser_sanity caching
|
|
||||||
-tests: error_output gen_xtrans parser_sanity caching
|
|
||||||
+tests: error_output gen_xtrans parser_sanity
|
|
||||||
|
|
||||||
gen_xtrans:
|
|
||||||
./gen-xtrans.pl
|
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
parser/rc.aaeventd.suse | 2 +-
|
parser/rc.aaeventd.suse | 2 +-
|
||||||
parser/rc.apparmor.functions | 14 +++++++-------
|
parser/rc.apparmor.functions | 9 ++++-----
|
||||||
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
|
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
|
||||||
3 files changed, 30 insertions(+), 9 deletions(-)
|
3 files changed, 27 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
--- a/parser/rc.aaeventd.suse
|
--- a/parser/rc.aaeventd.suse
|
||||||
+++ b/parser/rc.aaeventd.suse
|
+++ b/parser/rc.aaeventd.suse
|
||||||
@ -43,25 +43,6 @@
|
|||||||
fi
|
fi
|
||||||
aa_log_end_msg 0
|
aa_log_end_msg 0
|
||||||
return 0
|
return 0
|
||||||
@@ -412,7 +411,8 @@ remove_profiles() {
|
|
||||||
#them so stor to tmp first
|
|
||||||
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
|
|
||||||
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
|
|
||||||
- cat "$MODULE_PLIST" | while read profile ; do
|
|
||||||
+ # Skip subprofiles, they'll be removed with the owning profile
|
|
||||||
+ grep -v // "$MODULE_PLIST" | while IFS= read profile ; do
|
|
||||||
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
|
|
||||||
rc=$?
|
|
||||||
if [ ${rc} -ne 0 ] ; then
|
|
||||||
@@ -427,7 +427,7 @@ apparmor_stop() {
|
|
||||||
aa_log_daemon_msg "Unloading AppArmor profiles "
|
|
||||||
remove_profiles
|
|
||||||
rc=$?
|
|
||||||
- log_end_msg $rc
|
|
||||||
+ aa_log_end_msg $rc
|
|
||||||
return $rc
|
|
||||||
}
|
|
||||||
|
|
||||||
--- a/parser/rc.apparmor.suse
|
--- a/parser/rc.apparmor.suse
|
||||||
+++ b/parser/rc.apparmor.suse
|
+++ b/parser/rc.apparmor.suse
|
||||||
@@ -31,6 +31,7 @@
|
@@ -31,6 +31,7 @@
|
||||||
|
@ -1,7 +1,16 @@
|
|||||||
Index: apparmor-2.6.0/parser/rc.apparmor.functions
|
From: Federic Crozat <fcrozat@suse.com>
|
||||||
===================================================================
|
Subkect: apparmor: Let systemd automount securityfs
|
||||||
--- apparmor-2.6.0.orig/parser/rc.apparmor.functions
|
References: bnc#704460
|
||||||
+++ apparmor-2.6.0/parser/rc.apparmor.functions
|
|
||||||
|
Do not mount securityfs when running under systemd, just access
|
||||||
|
the directory, systemd will automount it
|
||||||
|
|
||||||
|
---
|
||||||
|
parser/rc.apparmor.functions | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/parser/rc.apparmor.functions
|
||||||
|
+++ b/parser/rc.apparmor.functions
|
||||||
@@ -295,7 +295,7 @@ is_apparmor_loaded() {
|
@@ -295,7 +295,7 @@ is_apparmor_loaded() {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Aug 22 11:54:21 UTC 2011 - opensuse@cboltz.de
|
||||||
|
|
||||||
|
- install SubDomain.pm compat module (bnc#713408)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 3 02:46:08 CEST 2011 - jeffm@suse.de
|
||||||
|
|
||||||
|
- Update to 2.6.1.
|
||||||
|
- One patch eliminated
|
||||||
|
- Lots of minor fixes
|
||||||
|
- Split out more common abstractions
|
||||||
|
- Add check_for_apparmor() helper.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 2 17:07:43 CEST 2011 - jeffm@suse.de
|
||||||
|
|
||||||
|
- dhcpd: Fix apparmor profile (bnc#692428)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Aug 2 09:19:45 UTC 2011 - fcrozat@suse.com
|
Tue Aug 2 09:19:45 UTC 2011 - fcrozat@suse.com
|
||||||
|
|
||||||
@ -5,12 +24,22 @@ Tue Aug 2 09:19:45 UTC 2011 - fcrozat@suse.com
|
|||||||
when running under systemd, just access the directory, systemd
|
when running under systemd, just access the directory, systemd
|
||||||
will automount it (bnc#704460).
|
will automount it (bnc#704460).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Jul 17 20:04:18 UTC 2011 - andrea.turrini@gmail.com
|
||||||
|
|
||||||
|
- Fixed typos in descriptions and summaries of apparmor.spec
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Jun 24 16:02:21 CEST 2011 - jeffm@suse.de
|
Fri Jun 24 16:02:21 CEST 2011 - jeffm@suse.de
|
||||||
|
|
||||||
- Fixed building of pam_apparmor to properly link libpam (bnc#696553).
|
- Fixed building of pam_apparmor to properly link libpam (bnc#696553).
|
||||||
- Fixed building of apache2-mod_apparmor to properly link (bnc#701821).
|
- Fixed building of apache2-mod_apparmor to properly link (bnc#701821).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jun 21 09:54:28 UTC 2011 - coolo@novell.com
|
||||||
|
|
||||||
|
- move the requires and prerequires to the right package
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Apr 27 17:28:58 UTC 2011 - opensuse@cboltz.de
|
Wed Apr 27 17:28:58 UTC 2011 - opensuse@cboltz.de
|
||||||
|
|
||||||
|
@ -45,8 +45,8 @@ Name: apparmor
|
|||||||
%define distro suse
|
%define distro suse
|
||||||
%endif
|
%endif
|
||||||
Summary: AppArmor userlevel parser utility
|
Summary: AppArmor userlevel parser utility
|
||||||
Version: 2.6.0
|
Version: 2.6.1
|
||||||
Release: 58
|
Release: 56
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Source0: apparmor-%{version}.tar.bz2
|
Source0: apparmor-%{version}.tar.bz2
|
||||||
Source1: %{name}-profile-editor.png
|
Source1: %{name}-profile-editor.png
|
||||||
@ -54,7 +54,6 @@ Source2: %{name}-profile-editor.desktop
|
|||||||
Source3: update-trans.sh
|
Source3: update-trans.sh
|
||||||
|
|
||||||
Patch1: apparmor-scripts
|
Patch1: apparmor-scripts
|
||||||
Patch2: apparmor-no-caching-test
|
|
||||||
Patch3: apparmor-utils-add-log-types
|
Patch3: apparmor-utils-add-log-types
|
||||||
Patch4: apparmor-utils-filenames-in-slash
|
Patch4: apparmor-utils-filenames-in-slash
|
||||||
Patch5: apparmor-utils-string-split
|
Patch5: apparmor-utils-string-split
|
||||||
@ -75,6 +74,8 @@ Patch19: klog-needs-CAP_SYSLOG
|
|||||||
Patch20: apparmor-profiles-dhclient
|
Patch20: apparmor-profiles-dhclient
|
||||||
Patch21: apparmor-utils-subdomain-compat
|
Patch21: apparmor-utils-subdomain-compat
|
||||||
Patch22: apparmor-securityfs-systemd.patch
|
Patch22: apparmor-securityfs-systemd.patch
|
||||||
|
Patch23: apparmor-2.6.0-dhcpd
|
||||||
|
Patch24: apparmor-compat-routines
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
Url: https://launchpad.net/apparmor
|
Url: https://launchpad.net/apparmor
|
||||||
@ -99,12 +100,6 @@ BuildRequires: python-devel swig
|
|||||||
BuildRequires: ruby-devel swig
|
BuildRequires: ruby-devel swig
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with pam}
|
|
||||||
BuildRequires: pam-devel
|
|
||||||
Requires: pam pam-config
|
|
||||||
PreReq: pam pam-config
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{with apache}
|
%if %{with apache}
|
||||||
BuildRequires: apache2-devel
|
BuildRequires: apache2-devel
|
||||||
%endif
|
%endif
|
||||||
@ -246,7 +241,7 @@ Obsoletes: perl-libapparmor < 2.5
|
|||||||
|
|
||||||
%description -n perl-apparmor
|
%description -n perl-apparmor
|
||||||
This package provides the perl interface to AppArmor. It is used for perl
|
This package provides the perl interface to AppArmor. It is used for perl
|
||||||
applications interfacing with AppArmor, including the AppArmor utiltities.
|
applications interfacing with AppArmor, including the AppArmor utilities.
|
||||||
|
|
||||||
Authors:
|
Authors:
|
||||||
--------
|
--------
|
||||||
@ -365,8 +360,11 @@ Authors:
|
|||||||
|
|
||||||
%package -n pam_apparmor
|
%package -n pam_apparmor
|
||||||
License: GPLv2 ; LGPLv2.1+
|
License: GPLv2 ; LGPLv2.1+
|
||||||
Summary: PAM module to for AppArmor change_hat
|
Summary: PAM module for AppArmor change_hat
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
|
BuildRequires: pam-devel
|
||||||
|
Requires: pam pam-config
|
||||||
|
PreReq: pam pam-config
|
||||||
|
|
||||||
%description -n pam_apparmor
|
%description -n pam_apparmor
|
||||||
The pam_apparmor module provides the means for any PAM applications
|
The pam_apparmor module provides the means for any PAM applications
|
||||||
@ -422,7 +420,7 @@ Summary: An AppArmor event notification applet for GNOME
|
|||||||
Group: System/GUI/GNOME
|
Group: System/GUI/GNOME
|
||||||
|
|
||||||
%description -n apparmorapplet-gnome
|
%description -n apparmorapplet-gnome
|
||||||
This taskbar applet recieves AppArmor events over DBUS, and notifies
|
This taskbar applet receives AppArmor events over DBUS, and notifies
|
||||||
the user when AppArmor prevents an application from functioning.
|
the user when AppArmor prevents an application from functioning.
|
||||||
|
|
||||||
|
|
||||||
@ -448,7 +446,6 @@ SubDomain.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{version}
|
%setup -q -n %{name}-%{version}
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
@ -469,6 +466,8 @@ SubDomain.
|
|||||||
%patch20 -p1
|
%patch20 -p1
|
||||||
%patch21 -p1
|
%patch21 -p1
|
||||||
%patch22 -p1
|
%patch22 -p1
|
||||||
|
%patch23 -p1
|
||||||
|
%patch24 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export SUSE_ASNEEDED=0
|
export SUSE_ASNEEDED=0
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
--- a/parser/parser_misc.c
|
--- a/parser/parser_misc.c
|
||||||
+++ b/parser/parser_misc.c
|
+++ b/parser/parser_misc.c
|
||||||
@@ -125,6 +125,9 @@ static int get_table_token(const char *n
|
@@ -129,6 +129,9 @@ static int get_table_token(const char *n
|
||||||
static struct keyword_table capability_table[] = {
|
static struct keyword_table capability_table[] = {
|
||||||
/* capabilities */
|
/* capabilities */
|
||||||
#include "cap_names.h"
|
#include "cap_names.h"
|
||||||
@ -15,7 +15,7 @@
|
|||||||
/* terminate */
|
/* terminate */
|
||||||
{NULL, 0}
|
{NULL, 0}
|
||||||
};
|
};
|
||||||
@@ -783,6 +786,7 @@ static const char *capnames[] = {
|
@@ -866,6 +869,7 @@ static const char *capnames[] = {
|
||||||
"audit_control",
|
"audit_control",
|
||||||
"setfcap",
|
"setfcap",
|
||||||
"mac_override"
|
"mac_override"
|
||||||
|
Loading…
Reference in New Issue
Block a user