Accepting request 58682 from security:apparmor:factory
Accepted submit request 58682 from user coolo OBS-URL: https://build.opensuse.org/request/show/58682 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=3
This commit is contained in:
parent
dd71394031
commit
cb8cbecbf9
24
apparmor-2.5.1-ntpd-sys_nice
Normal file
24
apparmor-2.5.1-ntpd-sys_nice
Normal file
@ -0,0 +1,24 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: profile: ntpd -N needs sys_nice
|
||||
References: bnc#657054
|
||||
|
||||
ntpd -N allows the administrator to increase or decrease priority of the
|
||||
ntp server. Since the profile doesn't allow it, the operation is denied.
|
||||
|
||||
This patch adds support for that operation.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
profiles/apparmor.d/usr.sbin.ntpd | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/profiles/apparmor.d/usr.sbin.ntpd
|
||||
+++ b/profiles/apparmor.d/usr.sbin.ntpd
|
||||
@@ -25,6 +25,7 @@
|
||||
capability sys_chroot,
|
||||
capability sys_resource,
|
||||
capability sys_time,
|
||||
+ capability sys_nice,
|
||||
|
||||
network inet dgram,
|
||||
network inet stream,
|
135
apparmor-2.5.1-ssl-fix
Normal file
135
apparmor-2.5.1-ssl-fix
Normal file
@ -0,0 +1,135 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: profiles: Add openssl abstraction
|
||||
References: bnc#623886
|
||||
|
||||
Profiles that use openssl have been adding the openssl files piecemeal.
|
||||
|
||||
This patch creates a new openssl abstraction that can be inherited by
|
||||
all profiles that use it.
|
||||
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
profiles/apparmor.d/abstractions/openssl | 4 ++++
|
||||
profiles/apparmor.d/abstractions/ssl_certs | 4 ++++
|
||||
profiles/apparmor/profiles/extras/usr.lib.postfix.smtp | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.sbin.imapd | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.sbin.ipop2d | 2 +-
|
||||
profiles/apparmor/profiles/extras/usr.sbin.ipop3d | 2 +-
|
||||
8 files changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
--- /dev/null
|
||||
+++ b/profiles/apparmor.d/abstractions/openssl
|
||||
@@ -0,0 +1,4 @@
|
||||
+
|
||||
+ /etc/ssl/openssl.cnf r,
|
||||
+ /usr/share/ssl/openssl.cnf r,
|
||||
+
|
||||
--- a/profiles/apparmor.d/abstractions/ssl_certs
|
||||
+++ b/profiles/apparmor.d/abstractions/ssl_certs
|
||||
@@ -15,3 +15,7 @@
|
||||
/etc/ssl/certs/* r,
|
||||
/usr/share/ca-certificates/ r,
|
||||
/usr/share/ca-certificates/** r,
|
||||
+ /usr/share/ssl/certs/ca-bundle.crt r,
|
||||
+
|
||||
+ /usr/share/ca-certificates/mozilla/ r,
|
||||
+ /usr/share/ca-certificates/mozilla/* r,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
|
||||
@@ -16,6 +16,7 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <program-chunks/postfix-common>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
@@ -39,7 +40,6 @@
|
||||
/etc/postfix/{ssl/,}*.pem r,
|
||||
/etc/postfix/prng_exch rw,
|
||||
/usr/share/ssl/certs/ca-bundle.crt r,
|
||||
- /usr/share/ssl/openssl.cnf r,
|
||||
/etc/postfix/virtual.db r,
|
||||
/etc/postfix/sasl_passwd.db r,
|
||||
/etc/mtab r,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
|
||||
@@ -16,6 +16,7 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <program-chunks/postfix-common>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
@@ -44,7 +45,6 @@
|
||||
/usr/lib/sasl2/* mr,
|
||||
|
||||
/usr/share/ssl/certs/ca-bundle.crt r,
|
||||
- /usr/share/ssl/openssl.cnf r,
|
||||
|
||||
/{var/spool/postfix/,}pid/inet.* rw,
|
||||
/{var/spool/postfix/,}private/anvil w,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
capability kill,
|
||||
capability net_bind_service,
|
||||
@@ -84,7 +85,6 @@
|
||||
/usr/share/snmp/mibs r,
|
||||
/usr/share/snmp/mibs/*.{txt,mib} r,
|
||||
/usr/share/snmp/mibs/.index wr,
|
||||
- /usr/share/ssl/openssl.cnf r,
|
||||
/var/lock/httpd2.lock.* wl,
|
||||
/var/log/apache2/* rwl,
|
||||
/var/log/httpd/ssl_scache.dir r,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.imapd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd
|
||||
@@ -16,10 +16,10 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r,
|
||||
/tmp/* rwl,
|
||||
/usr/sbin/imapd r,
|
||||
/usr/share/ssl/certs/imapd.pem r,
|
||||
- /usr/share/ssl/openssl.cnf r,
|
||||
}
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
|
||||
@@ -16,10 +16,10 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r ,
|
||||
/tmp/.* rwl ,
|
||||
/usr/sbin/ipop2d rmix,
|
||||
/usr/share/ssl/certs/ipop2d.pem r ,
|
||||
- /usr/share/ssl/openssl.cnf r ,
|
||||
}
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
|
||||
@@ -16,10 +16,10 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
+ #include <abstractions/openssl>
|
||||
|
||||
/dev/urandom r ,
|
||||
/tmp/.* rwl ,
|
||||
/usr/sbin/ipop3d rmix,
|
||||
/usr/share/ssl/certs/ipop3d.pem r ,
|
||||
- /usr/share/ssl/openssl.cnf r ,
|
||||
}
|
@ -1,3 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 18 10:51:33 UTC 2011 - coolo@novell.com
|
||||
|
||||
- fix rm call for nscd profile to avoid file conflict
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 11 15:24:16 CET 2011 - jeffm@suse.de
|
||||
|
||||
- profiles: Add openssl abstraction (bnc#623886).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 11 15:12:45 CET 2011 - jeffm@suse.de
|
||||
|
||||
- Added support for sys_nice to ntpd profile (bnc#657054).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 10 19:27:01 CET 2011 - jeffm@suse.de
|
||||
|
||||
|
@ -46,7 +46,7 @@ Name: apparmor
|
||||
%endif
|
||||
Summary: AppArmor userlevel parser utility
|
||||
Version: 2.5.1
|
||||
Release: 1
|
||||
Release: 42
|
||||
Group: Productivity/Networking/Security
|
||||
Source0: apparmor-%{version}.tar.bz2
|
||||
Source1: %{name}-profile-editor.png
|
||||
@ -85,6 +85,8 @@ Patch29: apparmor-2.5.1-fix-parser-use-after-free
|
||||
Patch30: apparmor-2.5.1-ldapclient-profile
|
||||
Patch31: apparmor-utils-support-newer-auditd-formatted-messages
|
||||
Patch32: fix-two-x-transition-conflict-bugs
|
||||
Patch33: apparmor-2.5.1-ntpd-sys_nice
|
||||
Patch34: apparmor-2.5.1-ssl-fix
|
||||
License: GPLv2+
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Url: https://launchpad.net/apparmor
|
||||
@ -485,6 +487,8 @@ SubDomain.
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch33 -p1
|
||||
%patch34 -p1
|
||||
|
||||
%build
|
||||
export SUSE_ASNEEDED=0
|
||||
@ -585,7 +589,7 @@ for pkg in apparmor-utils apparmor-parser; do
|
||||
done
|
||||
|
||||
# Clean up profiles that are provided by other packages now
|
||||
rm -f $RPM_BUILD_DIR%{_sysconfdir}/apparmor.d/usr.sbin.nscd
|
||||
rm $RPM_BUILD_ROOT%{_sysconfdir}/apparmor.d/usr.sbin.nscd
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
Loading…
Reference in New Issue
Block a user