Accepting request 241137 from security:apparmor

- add apparmor-profiles-clustered-samba.diff to permit clustered Samba access to CTDB socket and databases (bnc#885317) - fix problems with dovecot and managesieve * usr.lib.dovecot.managesieve-login: network inet6 stream * usr.lib.dovecot.managesieve: +#include <tunables/dovecot> /usr/lib/dovecot/managesieve { #include <abstractions/base> + capability setgid, + capability setuid, + network inet stream, + network inet6 stream, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, - add #include <abstractions/wutmp> to usr.lib.dovecot.auth OBS-URL: https://build.opensuse.org/request/show/241137 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=68
2014-07-16 14:37:24 +00:00 · 2014-07-16 14:37:24 +00:00 · d0df32c0f5
commit d0df32c0f5
parent ec979659fe 432d74349e
6 changed files with 70 additions and 2 deletions
--- a/apparmor-profiles-clustered-samba.diff
+++ b/apparmor-profiles-clustered-samba.diff
@ -0,0 +1,10 @@
+=== modified file 'profiles/apparmor.d/abstractions/samba'
+--- profiles/apparmor.d/abstractions/samba	2013-12-23 21:15:47 +0000
+++ profiles/apparmor.d/abstractions/samba	2014-07-04 10:03:10 +0000
+@@ -20,3 +20,5 @@
+   /{,var/}run/samba/ w,
+   /{,var/}run/samba/*.tdb rw,
+ 
+  # required for clustering
+  /var/lib/ctdb/** rwk,
+
--- a/apparmor-profiles-dovecot-bnc851984.diff
+++ b/apparmor-profiles-dovecot-bnc851984.diff
@ -143,13 +143,14 @@ Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login
 ===================================================================
 --- profiles/apparmor.d/usr.lib.dovecot.managesieve-login.orig	2011-07-14 14:57:57.000000000 +0200
 +++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login	2014-01-26 15:48:52.228261212 +0100
-@@ -1,4 +1,15 @@
+@@ -1,6 +1,19 @@
 -# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
 +# ------------------------------------------------------------------
 +#
 +#    Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
 +#    Copyright (C) 2009-2011 Canonical Ltd.
 +#    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 +#
 +#    This program is free software; you can redistribute it and/or
 +#    modify it under the terms of version 2 of the GNU General Public
@ -159,7 +160,18 @@ Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login
 +# vim: ft=apparmor
 
 #include <tunables/global>
+
 /usr/lib/dovecot/managesieve-login {
+   #include <abstractions/base>
+   #include <abstractions/ssl_certs>
+@@ -11,6 +24,7 @@
+   capability sys_chroot,
+ 
+   network inet stream,
+  network inet6 stream,
+ 
+   /usr/lib/dovecot/managesieve-login mr,
+   /{,var/}run/dovecot/login/ r,
 Index: profiles/apparmor.d/usr.lib.dovecot.pop3
 ===================================================================
 --- profiles/apparmor.d/usr.lib.dovecot.pop3.orig	2011-08-27 01:12:10.000000000 +0200
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Thu Jul  3 14:45:14 UTC 2014 - ddiss@suse.com
+
+- add apparmor-profiles-clustered-samba.diff to permit clustered Samba
+  access to CTDB socket and databases (bnc#885317)
+
+-------------------------------------------------------------------
+Wed Jul  2 10:30:43 UTC 2014 - chris@computersalat.de
+
+- fix problems with dovecot and managesieve
+  * usr.lib.dovecot.managesieve-login: network inet6 stream
+  * usr.lib.dovecot.managesieve:
+    +#include <tunables/dovecot>
+      /usr/lib/dovecot/managesieve {
+       #include <abstractions/base>
+    +  capability setgid,
+    +  capability setuid,
+    +  network inet stream,
+    +  network inet6 stream,
+    +  @{DOVECOT_MAILSTORE}/ rw,
+    +  @{DOVECOT_MAILSTORE}/** rwkl,
+
+-------------------------------------------------------------------
+Fri Jun 27 17:47:40 UTC 2014 - chris@computersalat.de
+
+- add #include <abstractions/wutmp> to usr.lib.dovecot.auth
+
 -------------------------------------------------------------------
 Tue Apr  1 16:06:24 UTC 2014 - lmuelle@suse.com

--- a/apparmor.spec
+++ b/apparmor.spec
@ -2,6 +2,7 @@
 # spec file for package apparmor
 #
 # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011-2014 Christian Boltz
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -106,7 +107,7 @@ Patch6:         apparmor-init.py-gsoc.diff
 # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
 Patch12:        apparmor-2.5.1-edirectory-profile

-# update dovecot profiles for dovecot 2.x (bnc#851984 - commited upstream trunk r2354, r2356, [updated patch] r2359)
+# update dovecot profiles for dovecot 2.x (bnc#851984 - commited upstream trunk r2354, r2356, [updated patch] r2359, [updated patch] r2549)
 Patch17:        apparmor-profiles-dovecot-bnc851984.diff

 # create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7
@ -119,6 +120,9 @@ Patch22:        ruby-2_0-mkmf-destdir.patch
 # commited upstream trunk r2323, 2.8 branch r2110 - updated version commited trunk r2385, 2.8 r2123
 Patch23:        apparmor-2.8.2-nm-dnsmasq-config.patch

+# Permit clustered Samba access to CTDB socket and databases (bnc#885317, commited upstream trunk r2556 - TODO: merge into 2.8 branch)
+Patch24:        apparmor-profiles-clustered-samba.diff
+
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -502,6 +506,8 @@ SubDomain.
 %patch23
 %endif

+%patch24
+
 # profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328)
 test ! -e profiles/apparmor.d/usr.sbin.winbindd
 cp %{SOURCE10} profiles/apparmor.d/
--- a/usr.lib.dovecot.auth
+++ b/usr.lib.dovecot.auth
@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@ -16,6 +17,7 @@
  #include <abstractions/base>
  #include <abstractions/mysql>
  #include <abstractions/nameservice>
+  #include <abstractions/wutmp>

  deny capability block_suspend,

--- a/usr.lib.dovecot.managesieve
+++ b/usr.lib.dovecot.managesieve
@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@ -10,10 +11,20 @@
 # vim: ft=apparmor

 #include <tunables/global>
+#include <tunables/dovecot>

 /usr/lib/dovecot/managesieve {
  #include <abstractions/base>

+  capability setgid,
+  capability setuid,
+
+  network inet stream,
+  network inet6 stream,
+
+  @{DOVECOT_MAILSTORE}/ rw,
+  @{DOVECOT_MAILSTORE}/** rwkl,
+
  /etc/dovecot/** r,
  /usr/bin/doveconf rix,
  /usr/lib/dovecot/managesieve mrix,