From 06f70bd7e306d4117c28f5d662f6f40b69ee4316025073b60fd9c7c6333b65f9 Mon Sep 17 00:00:00 2001
From: Christian Boltz <suse-beta@cboltz.de>
Date: Tue, 15 Jul 2014 21:37:38 +0000
Subject: [PATCH 1/2] Accepting request 239579 from
 home:dmdiss:bnc885317_clustered_samba_apparmor

- add apparmor-profiles-clustered-samba.diff to permit clustered Samba
  access to CTDB socket and databases (bnc#885317)

OBS-URL: https://build.opensuse.org/request/show/239579
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=87
---
 apparmor-profiles-clustered-samba.diff | 10 ++++++++++
 apparmor.changes                       |  6 ++++++
 apparmor.spec                          |  5 +++++
 3 files changed, 21 insertions(+)
 create mode 100644 apparmor-profiles-clustered-samba.diff

diff --git a/apparmor-profiles-clustered-samba.diff b/apparmor-profiles-clustered-samba.diff
new file mode 100644
index 0000000..8cfff88
--- /dev/null
+++ b/apparmor-profiles-clustered-samba.diff
@@ -0,0 +1,10 @@
+=== modified file 'profiles/apparmor.d/abstractions/samba'
+--- profiles/apparmor.d/abstractions/samba	2013-12-23 21:15:47 +0000
++++ profiles/apparmor.d/abstractions/samba	2014-07-04 10:03:10 +0000
+@@ -20,3 +20,5 @@
+   /{,var/}run/samba/ w,
+   /{,var/}run/samba/*.tdb rw,
+ 
++  # required for clustering
++  /var/lib/ctdb/** rwk,
+
diff --git a/apparmor.changes b/apparmor.changes
index 8f28049..fd1239c 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jul  3 14:45:14 UTC 2014 - ddiss@suse.com
+
+- add apparmor-profiles-clustered-samba.diff to permit clustered Samba
+  access to CTDB socket and databases (bnc#885317)
+
 -------------------------------------------------------------------
 Tue Apr  1 16:06:24 UTC 2014 - lmuelle@suse.com
 
diff --git a/apparmor.spec b/apparmor.spec
index 86a4029..99d226d 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -119,6 +119,9 @@ Patch22:        ruby-2_0-mkmf-destdir.patch
 # commited upstream trunk r2323, 2.8 branch r2110 - updated version commited trunk r2385, 2.8 r2123
 Patch23:        apparmor-2.8.2-nm-dnsmasq-config.patch
 
+# Permit clustered Samba access to CTDB socket and databases (bnc#885317)
+Patch24:        apparmor-profiles-clustered-samba.diff
+
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -502,6 +505,8 @@ SubDomain.
 %patch23
 %endif
 
+%patch24
+
 # profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328)
 test ! -e profiles/apparmor.d/usr.sbin.winbindd
 cp %{SOURCE10} profiles/apparmor.d/

From 432d74349ebb0a1a8310436d9e5270442dfea0685739e191ec407dfc9a12e72b Mon Sep 17 00:00:00 2001
From: Christian Boltz <suse-beta@cboltz.de>
Date: Tue, 15 Jul 2014 22:04:34 +0000
Subject: [PATCH 2/2] Manual merge of SR 239282 by computersalat, with the
 exception of adding /srv/maildirs/ to tunables/dovecot.

Also update upstream commits in apparmor.spec patch notes.



- fix problems with dovecot and managesieve
  * usr.lib.dovecot.managesieve-login: network inet6 stream
  * usr.lib.dovecot.managesieve:
    +#include <tunables/dovecot>
      /usr/lib/dovecot/managesieve {
       #include <abstractions/base>
    +  capability setgid,
    +  capability setuid,
    +  network inet stream,
    +  network inet6 stream,
    +  @{DOVECOT_MAILSTORE}/ rw,
    +  @{DOVECOT_MAILSTORE}/** rwkl,

- add #include <abstractions/wutmp> to usr.lib.dovecot.auth

OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=88
---
 apparmor-profiles-dovecot-bnc851984.diff | 14 +++++++++++++-
 apparmor.changes                         | 21 +++++++++++++++++++++
 apparmor.spec                            |  5 +++--
 usr.lib.dovecot.auth                     |  2 ++
 usr.lib.dovecot.managesieve              | 11 +++++++++++
 5 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/apparmor-profiles-dovecot-bnc851984.diff b/apparmor-profiles-dovecot-bnc851984.diff
index b0e34f6..8fdfd71 100644
--- a/apparmor-profiles-dovecot-bnc851984.diff
+++ b/apparmor-profiles-dovecot-bnc851984.diff
@@ -143,13 +143,14 @@ Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login
 ===================================================================
 --- profiles/apparmor.d/usr.lib.dovecot.managesieve-login.orig	2011-07-14 14:57:57.000000000 +0200
 +++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login	2014-01-26 15:48:52.228261212 +0100
-@@ -1,4 +1,15 @@
+@@ -1,6 +1,19 @@
 -# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
 +# ------------------------------------------------------------------
 +#
 +#    Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
 +#    Copyright (C) 2009-2011 Canonical Ltd.
 +#    Copyright (C) 2013 Christian Boltz
++#    Copyright (C) 2014 Christian Wittmer
 +#
 +#    This program is free software; you can redistribute it and/or
 +#    modify it under the terms of version 2 of the GNU General Public
@@ -159,7 +160,18 @@ Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login
 +# vim: ft=apparmor
  
  #include <tunables/global>
++
  /usr/lib/dovecot/managesieve-login {
+   #include <abstractions/base>
+   #include <abstractions/ssl_certs>
+@@ -11,6 +24,7 @@
+   capability sys_chroot,
+ 
+   network inet stream,
++  network inet6 stream,
+ 
+   /usr/lib/dovecot/managesieve-login mr,
+   /{,var/}run/dovecot/login/ r,
 Index: profiles/apparmor.d/usr.lib.dovecot.pop3
 ===================================================================
 --- profiles/apparmor.d/usr.lib.dovecot.pop3.orig	2011-08-27 01:12:10.000000000 +0200
diff --git a/apparmor.changes b/apparmor.changes
index fd1239c..e23eb47 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -4,6 +4,27 @@ Thu Jul  3 14:45:14 UTC 2014 - ddiss@suse.com
 - add apparmor-profiles-clustered-samba.diff to permit clustered Samba
   access to CTDB socket and databases (bnc#885317)
 
+-------------------------------------------------------------------
+Wed Jul  2 10:30:43 UTC 2014 - chris@computersalat.de
+
+- fix problems with dovecot and managesieve
+  * usr.lib.dovecot.managesieve-login: network inet6 stream
+  * usr.lib.dovecot.managesieve:
+    +#include <tunables/dovecot>
+      /usr/lib/dovecot/managesieve {
+       #include <abstractions/base>
+    +  capability setgid,
+    +  capability setuid,
+    +  network inet stream,
+    +  network inet6 stream,
+    +  @{DOVECOT_MAILSTORE}/ rw,
+    +  @{DOVECOT_MAILSTORE}/** rwkl,
+
+-------------------------------------------------------------------
+Fri Jun 27 17:47:40 UTC 2014 - chris@computersalat.de
+
+- add #include <abstractions/wutmp> to usr.lib.dovecot.auth
+
 -------------------------------------------------------------------
 Tue Apr  1 16:06:24 UTC 2014 - lmuelle@suse.com
 
diff --git a/apparmor.spec b/apparmor.spec
index 99d226d..9a01109 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -2,6 +2,7 @@
 # spec file for package apparmor
 #
 # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011-2014 Christian Boltz
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -106,7 +107,7 @@ Patch6:         apparmor-init.py-gsoc.diff
 # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
 Patch12:        apparmor-2.5.1-edirectory-profile
 
-# update dovecot profiles for dovecot 2.x (bnc#851984 - commited upstream trunk r2354, r2356, [updated patch] r2359)
+# update dovecot profiles for dovecot 2.x (bnc#851984 - commited upstream trunk r2354, r2356, [updated patch] r2359, [updated patch] r2549)
 Patch17:        apparmor-profiles-dovecot-bnc851984.diff
 
 # create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7
@@ -119,7 +120,7 @@ Patch22:        ruby-2_0-mkmf-destdir.patch
 # commited upstream trunk r2323, 2.8 branch r2110 - updated version commited trunk r2385, 2.8 r2123
 Patch23:        apparmor-2.8.2-nm-dnsmasq-config.patch
 
-# Permit clustered Samba access to CTDB socket and databases (bnc#885317)
+# Permit clustered Samba access to CTDB socket and databases (bnc#885317, commited upstream trunk r2556 - TODO: merge into 2.8 branch)
 Patch24:        apparmor-profiles-clustered-samba.diff
 
 Url:            https://launchpad.net/apparmor
diff --git a/usr.lib.dovecot.auth b/usr.lib.dovecot.auth
index 71ffaf5..1953a31 100644
--- a/usr.lib.dovecot.auth
+++ b/usr.lib.dovecot.auth
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -16,6 +17,7 @@
   #include <abstractions/base>
   #include <abstractions/mysql>
   #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
 
   deny capability block_suspend,
 
diff --git a/usr.lib.dovecot.managesieve b/usr.lib.dovecot.managesieve
index a0e6142..6aa98e7 100644
--- a/usr.lib.dovecot.managesieve
+++ b/usr.lib.dovecot.managesieve
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -10,10 +11,20 @@
 # vim: ft=apparmor
 
 #include <tunables/global>
+#include <tunables/dovecot>
 
 /usr/lib/dovecot/managesieve {
   #include <abstractions/base>
 
+  capability setgid,
+  capability setuid,
+
+  network inet stream,
+  network inet6 stream,
+
+  @{DOVECOT_MAILSTORE}/ rw,
+  @{DOVECOT_MAILSTORE}/** rwkl,
+
   /etc/dovecot/** r,
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/managesieve mrix,