From 778bd0c3fa9e7592ac7f2b54f4aaccfc8a0f98cbd8e73452a6925ebd31249684 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 10 Oct 2018 18:00:10 +0000 Subject: [PATCH 1/3] Accepting request 640981 from home:pevik:branches:security:apparmor - Backport dnsmasq fix: 025c7dc6 ("dnsmasq: Add permission to open log files") (boo#1111342) OBS-URL: https://build.opensuse.org/request/show/640981 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=220 --- apparmor.changes | 7 +++++ apparmor.spec | 4 +++ ...asq-Add-permission-to-open-log-files.patch | 28 +++++++++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 dnsmasq-Add-permission-to-open-log-files.patch diff --git a/apparmor.changes b/apparmor.changes index 585be86..5333613 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Oct 10 09:49:17 UTC 2018 - Petr Vorel + +- Backport dnsmasq fix: + 025c7dc6 ("dnsmasq: Add permission to open log files") + (boo#1111342) + ------------------------------------------------------------------- Wed Aug 22 11:32:59 UTC 2018 - suse-beta@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 02909bc..d265b31 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -77,6 +77,9 @@ Patch11: fix-samba-profiles.patch # SR 629206 - make pyflakes 2.0 happy (unused variable) Patch12: make-pyflakes-happy.diff +# boo#1111342 Backport fix for dnsmasq into Tumbleweed (add permission to open log files) +Patch13: dnsmasq-Add-permission-to-open-log-files.patch + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix /lib/apparmor @@ -369,6 +372,7 @@ SubDomain. %patch10 %patch11 -p1 %patch12 -p1 +%patch13 -p1 %build export SUSE_ASNEEDED=0 diff --git a/dnsmasq-Add-permission-to-open-log-files.patch b/dnsmasq-Add-permission-to-open-log-files.patch new file mode 100644 index 0000000..bf11f0e --- /dev/null +++ b/dnsmasq-Add-permission-to-open-log-files.patch @@ -0,0 +1,28 @@ +From 025c7dc6a131da24c31e41ad32753015a0ec0f76 Mon Sep 17 00:00:00 2001 +From: Petr Vorel +Date: Mon, 8 Oct 2018 16:44:01 +0200 +Subject: [PATCH] dnsmasq: Add permission to open log files + +--log-facility option needs to have permission to open files. +Use '*' to allow using more files (for using more dnsmasq instances). + +Signed-off-by: Petr Vorel +Signed-off-by: Jamie Strandboge +Signed-off-by: Steve Beattie +--- + profiles/apparmor.d/usr.sbin.dnsmasq | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq +index 2b4b1bfc..f2e6847d 100644 +--- a/profiles/apparmor.d/usr.sbin.dnsmasq ++++ b/profiles/apparmor.d/usr.sbin.dnsmasq +@@ -43,6 +43,8 @@ + + /usr/sbin/dnsmasq mr, + ++ /var/log/*dnsmasq.log w, ++ + /{,var/}run/*dnsmasq*.pid w, + /{,var/}run/dnsmasq-forwarders.conf r, + /{,var/}run/dnsmasq/ r, From 25eea3896149f96c02118981e1cd73d5ed128e16c457c99cc098f1f21b04d77f Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 10 Oct 2018 18:49:23 +0000 Subject: [PATCH 2/3] Accepting request 641131 from home:cboltz - update rpmlintrc: - whitelist .features file which is part of the pre-compiled cache - comment out filters for the disabled tomcat_apparmor subpackage OBS-URL: https://build.opensuse.org/request/show/641131 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=221 --- apparmor-rpmlintrc | 10 +++++++--- apparmor.changes | 7 +++++++ apparmor.spec | 4 ++-- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/apparmor-rpmlintrc b/apparmor-rpmlintrc index ee2c467..dbff758 100644 --- a/apparmor-rpmlintrc +++ b/apparmor-rpmlintrc @@ -1,3 +1,7 @@ -addFilter("devel-file-in-non-devel-package.*/usr/lib64/libJNIChangeHat.so") -addFilter("devel-file-in-non-devel-package.*/usr/lib/libJNIChangeHat.so") -addFilter("shlib-policy-name-error.*libJNIChangeHat0") +# .features file for pre-compiled cache +addFilter("hidden-file-or-dir /usr/share/apparmor/cache/[0-9a-f]*.0/.features") + +# warnings for the disabled tomcat_apparmor subpackage +# addFilter("devel-file-in-non-devel-package.*/usr/lib63/libJNIChangeHat.so") +# addFilter("devel-file-in-non-devel-package.*/usr/lib/libJNIChangeHat.so") +# addFilter("shlib-policy-name-error.*libJNIChangeHat0") diff --git a/apparmor.changes b/apparmor.changes index 5333613..266fe13 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Oct 10 18:01:16 UTC 2018 - Christian Boltz + +- update rpmlintrc: + - whitelist .features file which is part of the pre-compiled cache + - comment out filters for the disabled tomcat_apparmor subpackage + ------------------------------------------------------------------- Wed Oct 10 09:49:17 UTC 2018 - Petr Vorel diff --git a/apparmor.spec b/apparmor.spec index d265b31..11a302f 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -74,10 +74,10 @@ Patch10: logprof-skip-cache-d.diff # bug 1092099 - Allow smbd to load new shared libraries. Allow Winbindd to read and write new kerberos cache location (accepted upstream 2018-05-09 https://gitlab.com/apparmor/apparmor/merge_requests/121 - slightly different patch) Patch11: fix-samba-profiles.patch -# SR 629206 - make pyflakes 2.0 happy (unused variable) +# SR 629206 - make pyflakes 2.0 happy (unused variable) (accepted upstream 2018-08-22) Patch12: make-pyflakes-happy.diff -# boo#1111342 Backport fix for dnsmasq into Tumbleweed (add permission to open log files) +# boo#1111342 Backport fix for dnsmasq into Tumbleweed (add permission to open log files) (from upstream 2018-10-08) Patch13: dnsmasq-Add-permission-to-open-log-files.patch PreReq: sed From d7630ac7d00d19e0a16ccd4bef85818873d9eca631d6ee818a44fb9c42448038 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 10 Oct 2018 18:56:55 +0000 Subject: [PATCH 3/3] add patch name to .changes OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=222 --- apparmor.changes | 2 +- apparmor.spec | 2 +- libapparmor.spec | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.changes b/apparmor.changes index 266fe13..0d7cc3e 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -9,7 +9,7 @@ Wed Oct 10 18:01:16 UTC 2018 - Christian Boltz Wed Oct 10 09:49:17 UTC 2018 - Petr Vorel - Backport dnsmasq fix: - 025c7dc6 ("dnsmasq: Add permission to open log files") + 025c7dc6 - dnsmasq-Add-permission-to-open-log-files.patch (boo#1111342) ------------------------------------------------------------------- diff --git a/apparmor.spec b/apparmor.spec index 11a302f..074be5e 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -13,7 +13,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # diff --git a/libapparmor.spec b/libapparmor.spec index ef56254..8aa4ed3 100644 --- a/libapparmor.spec +++ b/libapparmor.spec @@ -13,7 +13,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ #