Accepting request 102458 from security:apparmor:factory

- Update to AppArmor 2.7.2 (= 2.7 branch / r1894) - move various permissions from httpd2-prefork profile to abstractions/apache2-common. Backward-incompatible change: *.htaccess files are no longer allowed for ^HANDLING_UNTRUSTED_INPUT - allow access for more /usr/lib*/samba/ files for smbd (bnc#725967#c5) - allow various .conf files for dovecot (lp#458922) - disallow wl for *.so in @{HOME}/.pki/nssdb/ in abstractions/private-files and abstractions/private-files-strict (lp#911847) - update abstractions/kde, private-files* and ubuntu-browsers.d/user-files to use ~/.kde4, not only ~/.kde (bnc#741592) - block write access to ~/.kde{,4}/env in abstractions/private-files (lp#914190) - allow write access for personal dictionary etc. in abstractions/aspell (lp#917859) - when using genprof for a script, include read access to the script itsself - automatically include abstractions/python or abstractions/ruby for python/ruby scripts - add profile for smbldap-useradd and allow smbd to call it (bnc#738041) - allow creation of the .config directory in abstractions/enchant (lp#914184) - allow TFTP read-only access in dnsmasq profile (lp#905412) - allow capability dac_read_search for syslog-ng (bnc#731876) - add p11-kit abstraction and include it in abstractions/authentification (lp#912754, lp#912752) - add audacity to abstractions/ubuntu-media-players (lp#899963) - allow software-center, fireclam plugin, [tT]unar, exo-open, kate and /dev/nvidia* in abstractons/ubuntu-browsers.d/* (lp#662906, lp#562831, lp#890894, lp#890894, lp#884748) - fix typo for multiarch gconf-modules in abstractions/base (lp#904548) - allow avahi to do dbus introspection (lp#769148) - allow access to ~/.fonts.conf.d in abstractions/fonts (lp#870992) - allow transmission in abstractions/ubuntu-bittorrent-clients (lp#852062) - allow reading ~/.cups/client.conf and ~/.cups/lpoptions in abstractions/cups-client (lp#887992) - allow read access of /etc/python{2,3}.[0-7]*/sitecustomize.py in abstractions/python (lp#860856) - various updates to the sshd profile (lp#817956) - (and some more changes I already included in the apparmor-2.7-branch.diff) OBS-URL: https://build.opensuse.org/request/show/102458 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=32
2012-02-02 16:56:20 +00:00 · 2012-02-02 16:56:20 +00:00 · c958d9cad3
commit c958d9cad3
parent b2f1c70e39
6 changed files with 64 additions and 63 deletions
--- a/apparmor-2.7-branch.diff
+++ b/apparmor-2.7-branch.diff
@ -1,36 +0,0 @@
-svn diff -r1858..1861 > 2.7-branch.diff
-
-=== modified file 'profiles/Makefile'
--- profiles/Makefile	2011-10-19 22:23:19 +0000
-+++ profiles/Makefile	2012-01-03 22:45:00 +0000
-@@ -56,6 +56,7 @@
-                           ${PROFILES_DEST}/program-chunks \
-                           ${PROFILES_DEST}/tunables \
-                           ${PROFILES_DEST}/tunables/home.d \
-+                          ${PROFILES_DEST}/tunables/multiarch.d \
-                           ${PROFILES_DEST}/local
- 	install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST}
- 	install -m 644 ${ABSTRACTIONS_TO_COPY} ${PROFILES_DEST}/abstractions
-
-=== modified file 'profiles/apparmor.d/abstractions/python'
--- profiles/apparmor.d/abstractions/python	2011-11-30 16:56:45 +0000
-+++ profiles/apparmor.d/abstractions/python	2012-01-03 20:23:30 +0000
-@@ -31,4 +31,4 @@
-   /usr/lib/wx/python/*.pth r,
- 
-   # python build configuration and headers
-  /usr/include/python{2,3}.[0-7]*/pyconfig.h
-+  /usr/include/python{2,3}.[0-7]*/pyconfig.h r,
-
-=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd	2011-11-01 17:28:49 +0000
-+++ profiles/apparmor.d/usr.sbin.smbd	2011-12-30 20:55:58 +0000
-@@ -21,6 +21,7 @@
-   capability sys_tty_config,
- 
-   /etc/mtab r,
-+  /etc/netgroup r,
-   /etc/printcap r,
-   /proc/*/mounts r,
-   /proc/sys/kernel/core_pattern r,
-
--- a/apparmor-2.7.0.tar.gz
+++ b/apparmor-2.7.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ff8a2f49f902faa78e502590c65d3850fb9a2a3453bef0dc1f99e947c52fc60f
-size 1399442
--- a/apparmor-2.7.2.tar.gz
+++ b/apparmor-2.7.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42deb8cbf4937fac07a48ec8427b90131e92ed2f83b606beee092bdb4fc2a41f
+size 1403151
--- a/apparmor-samba-include-permissions-for-shares.diff
+++ b/apparmor-samba-include-permissions-for-shares.diff
@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 === modified file 'profiles/apparmor.d/usr.sbin.smbd'
 --- profiles/apparmor.d/usr.sbin.smbd	2011-08-27 18:50:42 +0000
 +++ profiles/apparmor.d/usr.sbin.smbd	2011-10-19 09:37:04 +0000
-@@ -42,6 +42,10 @@
+@@ -46,6 +46,10 @@
 
   @{HOMEDIRS}/** lrwk,
 
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Tue Jan 31 09:53:06 UTC 2012 - opensuse@cboltz.de
+
+- Update to AppArmor 2.7.2 (= 2.7 branch / r1894)
+  - move various permissions from httpd2-prefork profile to
+    abstractions/apache2-common. Backward-incompatible change: *.htaccess
+    files are no longer allowed for ^HANDLING_UNTRUSTED_INPUT
+  - allow access for more /usr/lib*/samba/ files for smbd (bnc#725967#c5)
+  - allow various .conf files for dovecot (lp#458922)
+  - disallow wl for *.so in @{HOME}/.pki/nssdb/ in abstractions/private-files
+    and abstractions/private-files-strict (lp#911847)
+  - update abstractions/kde, private-files* and ubuntu-browsers.d/user-files
+    to use ~/.kde4, not only ~/.kde (bnc#741592)
+  - block write access to ~/.kde{,4}/env in abstractions/private-files
+    (lp#914190)
+  - allow write access for personal dictionary etc. in abstractions/aspell
+    (lp#917859)
+  - when using genprof for a script, include read access to the script itsself
+  - automatically include abstractions/python or abstractions/ruby for
+    python/ruby scripts
+  - add profile for smbldap-useradd and allow smbd to call it (bnc#738041)
+  - allow creation of the .config directory in abstractions/enchant (lp#914184)
+  - allow TFTP read-only access in dnsmasq profile (lp#905412)
+  - allow capability dac_read_search for syslog-ng (bnc#731876)
+  - add p11-kit abstraction and include it in abstractions/authentification
+    (lp#912754, lp#912752)
+  - add audacity to abstractions/ubuntu-media-players (lp#899963)
+  - allow software-center, fireclam plugin, [tT]unar, exo-open, kate and
+    /dev/nvidia* in abstractons/ubuntu-browsers.d/* (lp#662906, lp#562831,
+    lp#890894, lp#890894, lp#884748)
+  - fix typo for multiarch gconf-modules in abstractions/base (lp#904548)
+  - allow avahi to do dbus introspection (lp#769148)
+  - allow access to ~/.fonts.conf.d in abstractions/fonts (lp#870992)
+  - allow transmission in abstractions/ubuntu-bittorrent-clients (lp#852062)
+  - allow reading ~/.cups/client.conf and ~/.cups/lpoptions in
+    abstractions/cups-client (lp#887992)
+  - allow read access of /etc/python{2,3}.[0-7]*/sitecustomize.py in
+    abstractions/python (lp#860856)
+  - various updates to the sshd profile (lp#817956)
+  - (and some more changes I already included in the apparmor-2.7-branch.diff)
+
 -------------------------------------------------------------------
 Tue Jan  3 23:52:38 UTC 2012 - opensuse@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -43,19 +43,17 @@ Name:           apparmor
 %if ! %{?distro:1}0
  %define distro suse
 %endif
-Version:        2.7.0
-Release:        1
-%define versiondir        2.7.0
+Version:        2.7.2
+Release:        0
+%define versiondir        2.7.2
 Summary:        AppArmor userlevel parser utility
+License:        GPL-2.0+
 Group:          Productivity/Networking/Security
 Source0:        apparmor-%{version}.tar.gz
 Source1:        %{name}-profile-editor.png
 Source2:        %{name}-profile-editor.desktop
 Source3:        update-trans.sh

-# upstream changes since the 2.7 release
-Patch0:         apparmor-2.7-branch.diff
-
 # enable caching of profiles (= massive performance speedup when loading profiles)
 Patch1:         apparmor-enable-profile-cache.diff

@ -79,7 +77,6 @@ Patch15:        apparmor-remove-repo
 # remove after 12.1 release - bnc#720617 #c7
 Patch21:        apparmor-utils-subdomain-compat

-License:        GPLv2+
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -142,8 +139,8 @@ BuildRequires:  pkgconfig(dbus-1)
 %endif

 %package parser
-License:        GPLv2+
 Summary:        AppArmor userlevel parser utility
+License:        GPL-2.0+
 Group:          Productivity/Networking/Security
 Obsoletes:      subdomain_parser < %{version}
 Obsoletes:      subdomain-parser < %{version}
@ -167,8 +164,8 @@ This package is part of a suite of tools that used to be named
 SubDomain.

 %package docs
-License:        GPLv2+
 Summary:        AppArmor Documentation package
+License:        GPL-2.0+
 Group:          Documentation/Other
 BuildArch:      noarch

@ -181,8 +178,8 @@ SubDomain.
 %if %{with apache}

 %package -n apache2-mod_apparmor
-License:        GPLv2+
 Summary:        AppArmor module for apache2
+License:        GPL-2.0+
 Group:          Productivity/Security

 %description -n apache2-mod_apparmor
@ -198,8 +195,8 @@ The documentation is in the apparmor-admin_en package.
 %endif

 %package -n libapparmor1
-License:        LGPLv2.1+
 Summary:        Utility library for AppArmor
+License:        LGPL-2.1+
 Group:          Development/Libraries/C and C++
 %ifarch ppc64
 Obsoletes:      libapparmor-64bit < %{version}
@ -216,8 +213,8 @@ change_hat(2) symbol, used for sub-process confinement by AppArmor, as
 well as functions to parse AppArmor log messages.

 %package -n libapparmor-devel
-License:        LGPLv2.1+
 Summary:        Development headers and libraries for libapparmor
+License:        LGPL-2.1+
 Group:          Development/Libraries/C and C++
 Requires:       libapparmor1 = %{version}
 Provides:       libapparmor:/usr/include/sys/apparmor.h
@ -227,8 +224,8 @@ These libraries are needed for developing software that makes use of the
 AppArmor API.

 %package -n perl-apparmor
-License:        GPLv2 ; LGPLv2.1+
 Summary:        Perl interface for libapparmor functions
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          Development/Libraries/Perl
 Requires:       libapparmor1 = %{version}
 Requires:       perl = %{perl_version}
@ -248,8 +245,8 @@ applications interfacing with AppArmor, including the AppArmor utilities.
 %if %{with python}

 %package -n python-apparmor
-License:        GPLv2 ; LGPLv2.1+
 Summary:        Python interface for libapparmor functions
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          Development/Libraries/Python
 BuildRequires:  python
 Requires:       libapparmor1 = %{version}
@ -266,8 +263,8 @@ applications interfacing with AppArmor.
 %if %{with ruby}

 %package -n ruby-apparmor
-License:        GPLv2 ; LGPLv2.1+
 Summary:        Ruby interface for libapparmor functions
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          Development/Libraries/Ruby
 Requires:       libapparmor1 = %{version}
 Requires:       ruby = %{ruby_version}
@ -281,8 +278,8 @@ applications interfacing with AppArmor.
 %endif

 %package profiles
-License:        GPLv2 ; LGPLv2.1+
 Summary:        AppArmor profiles that are loaded into the apparmor kernel module
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          Productivity/Security
 Requires:       apparmor-parser(CAP_SYSLOG)
 Obsoletes:      subdomain-profiles < %{version}
@ -299,8 +296,8 @@ This package is part of a suite of tools that used to be named
 SubDomain.

 %package utils
-License:        GPLv2 ; LGPLv2.1+
 Summary:        AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          Productivity/Security
 Requires:       libapparmor1 = %{version}
 Requires:       perl = %{perl_version}
@ -316,8 +313,8 @@ It is part of a suite of tools that used to be named SubDomain.
 %if %{with tomcat}

 %package -n tomcat_apparmor
-License:        GPLv2 ; LGPLv2.1+
 Summary:        Tomcat 6 plugin for AppArmor change_hat
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          System/Libraries
 Requires:       libapparmor1 = %{version}
 Requires:       tomcat6
@ -334,8 +331,8 @@ created for individual URL processing or per servlet.
 %if %{with pam}

 %package -n pam_apparmor
-License:        GPLv2 ; LGPLv2.1+
 Summary:        PAM module for AppArmor change_hat
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          Productivity/Security
 BuildRequires:  pam-devel
 PreReq:         pam
@ -354,8 +351,8 @@ policy.
 %if %{with dbus}

 %package dbus
-License:        GPLv2 ; LGPLv2.1+
 Summary:        Audit dispatcher for sending AppArmor events over DBUS
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          System/Monitoring

 %description dbus
@ -367,8 +364,8 @@ bus.
 %if %{with editor}

 %package profile-editor
-License:        GPLv2 ; LGPLv2.1+
 Summary:        AppArmor profile editor
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          Productivity/Editors/Other

 %description profile-editor
@ -379,8 +376,8 @@ A syntax highlighting editor for AppArmor profiles.
 %if %{with gnome}

 %package -n apparmorapplet-gnome
-License:        GPLv2 ; LGPLv2.1+
 Summary:        An AppArmor event notification applet for GNOME
+License:        GPL-2.0 ; LGPL-2.1+
 Group:          System/GUI/GNOME

 %description -n apparmorapplet-gnome
@ -404,7 +401,6 @@ SubDomain.

 %prep
 %setup -q -n %{name}-%{versiondir}
-%patch0 -p0
 %patch1 -p1
 %patch2 -p0
 %patch5 -p1