Accepting request 297855 from home:cboltz

- make sure %service_del_postun doesn't call systemctl try-restart
  (boo#853019, bare systemd edition)
- add samba-4.2-profiles.diff: update samba (winbindd and nmb)
  profiles for samba 4.2 (boo#921098, boo#923201)

OBS-URL: https://build.opensuse.org/request/show/297855
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=129

apparmor.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Apr 17 18:46:08 UTC 2015 - opensuse@cboltz.de
+
+- make sure %service_del_postun doesn't call systemctl try-restart
+  (boo#853019, bare systemd edition)
+- add samba-4.2-profiles.diff: update samba (winbindd and nmb)
+  profiles for samba 4.2 (boo#921098, boo#923201)
+
 -------------------------------------------------------------------
 Sun Apr 12 21:13:23 UTC 2015 - opensuse@cboltz.de
 
@@ -6,8 +14,8 @@ Sun Apr 12 21:13:23 UTC 2015 - opensuse@cboltz.de
 -------------------------------------------------------------------
 Wed Apr  1 03:47:44 UTC 2015 - crrodriguez@opensuse.org
 
-- Add a native systemd unit which *at the moment* only 
- wraps/masks the early boot script.
+- Add a native systemd unit which *at the moment* only
+  wraps/masks the early boot script.
 
 -------------------------------------------------------------------
 Tue Feb 24 13:19:10 UTC 2015 - rguenther@suse.com

apparmor.spec

@@ -103,6 +103,9 @@ Patch8:         apparmor-changes-since-2.9.1.diff
 # fix build with GCC 5 due to bad ostream use
 Patch9:         apparmor-fix-stl-ostream.diff
 
+# update samba (winbindd and nmb) profiles for samba 4.2 (boo#921098, boo#923201)
+Patch10:        samba-4.2-profiles.diff
+
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -450,6 +453,7 @@ SubDomain.
 %patch7 -p1
 %patch8
 %patch9
+%patch10
 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
 
@@ -875,6 +879,8 @@ fi
 %endif
 
 %if 0%{?suse_version} > 1320
+# don't call try-restart, see bnc#853019
+export DISABLE_RESTART_ON_UPDATE="yes"
 %service_del_postun apparmor.service
 %endif
 

samba-4.2-profiles.diff

@@ -0,0 +1,40 @@
+Index: profiles/apparmor.d/abstractions/samba
+===================================================================
+--- profiles/apparmor.d/abstractions/samba.orig	2014-07-04 12:09:58.000000000 +0200
++++ profiles/apparmor.d/abstractions/samba	2015-04-17 21:24:22.463107165 +0200
+@@ -13,7 +13,7 @@
+   /usr/share/samba/*.dat r,
+   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+   /var/cache/samba/ w,
+-  /var/lib/samba/**.tdb rwk,
++  /var/lib/samba/** rwk,
+   /var/log/samba/cores/ rw,
+   /var/log/samba/cores/** rw,
+   /var/log/samba/log.* w,
+Index: profiles/apparmor.d/usr.sbin.winbindd
+===================================================================
+--- profiles/apparmor.d/usr.sbin.winbindd.orig	2014-04-21 22:10:51.000000000 +0200
++++ profiles/apparmor.d/usr.sbin.winbindd	2015-04-17 21:26:56.262142786 +0200
+@@ -10,8 +10,12 @@
+   capability ipc_lock,
+   capability setuid,
+ 
++  /etc/samba/netlogon_creds_cli.tdb rwk,
+   /etc/samba/passdb.tdb{,.tmp} rwk,
+   /etc/samba/secrets.tdb rwk,
++  /etc/samba/smbd.tmp/ rw,
++  /etc/samba/smbd.tmp/msg/ rw,
++  /etc/samba/smbd.tmp/msg/* rw,
+   @{PROC}/sys/kernel/core_pattern r,
+   /tmp/.winbindd/ w,
+   /tmp/krb5cc_* rwk,
+@@ -21,9 +25,6 @@
+   /usr/sbin/winbindd mr,
+   /var/cache/krb5rcache/* rw,
+   /var/cache/samba/*.tdb rwk,
+-  /var/lib/samba/smb_krb5/krb5.conf.* rw,
+-  /var/lib/samba/smb_tmp_krb5.* rw,
+-  /var/lib/samba/winbindd_cache.tdb* rwk,
+   /var/log/samba/log.winbindd rw,
+   /{var/,}run/samba/winbindd.pid rwk,
+   /{var/,}run/samba/winbindd/ rw,