Accepting request 941547 from security:apparmor

- add openssl-engdef-mr818.diff: Allow reading /etc/ssl/engdef.d/ and /etc/ssl/engines.d/ in abstractions/openssl which were introduced with the latest openssl update NOTE: Without this patch, dovecot is spamming the audit.log with denials. Please accept ASAP. OBS-URL: https://build.opensuse.org/request/show/941547 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=160
2021-12-20 20:06:09 +00:00 · 2021-12-20 20:06:09 +00:00 · f9bc91dbb4
commit f9bc91dbb4
parent 64fa1fa1ae 880c63e84b
3 changed files with 37 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sun Dec 19 21:42:54 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
+
+- add openssl-engdef-mr818.diff: Allow reading /etc/ssl/engdef.d/ and
+  /etc/ssl/engines.d/ in abstractions/openssl which were introduced
+  with the latest openssl update
+
 -------------------------------------------------------------------
 Tue Nov  9 17:45:22 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -87,6 +87,9 @@ Patch8:         add-samba-bgqd.diff
 # aa-notify: Add support for reading s390x and aarch64 wtmp file (boo#1181155) (merged upstream 2021-11-08 in master and 3.0 branch - https://gitlab.com/apparmor/apparmor/-/merge_requests/809)
 Patch9:         aa-notify-more-arch-mr809.diff

+# allow reading /etc/ssl/engdef.d/ and /etc/ssl/engines.d/ in abstractions/openssl (submitted upstream 2021-12-19 - https://gitlab.com/apparmor/apparmor/-/merge_requests/818)
+Patch10:        openssl-engdef-mr818.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -352,6 +355,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1

 %build
 %define _lto_cflags %{nil}
--- a/openssl-engdef-mr818.diff
+++ b/openssl-engdef-mr818.diff
@ -0,0 +1,26 @@
+(context lines adjusted to match 3.0 branch)
+
+From e58dd798f09c1df6f8de42f64d07221d34adfc87 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor@cboltz.de>
+Date: Sun, 19 Dec 2021 22:36:05 +0100
+Subject: [PATCH] abstractions/openssl: allow /etc/ssl/{engdef,engines}.d/
+
+These directories were introduced in openssl in
+https://patchwork.ozlabs.org/project/openwrt/patch/20210429153530.10020-2-cotequeiroz@gmail.com/
+---
+ profiles/apparmor.d/abstractions/openssl | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: profiles/apparmor.d/abstractions/openssl
+===================================================================
+--- a/profiles/apparmor.d/abstractions/openssl.orig	2021-12-19 22:51:13.837139097 +0100
+++ b/profiles/apparmor.d/abstractions/openssl	2021-12-19 22:52:05.845049787 +0100
+@@ -12,6 +12,8 @@
+ 
+   /etc/ssl/openssl.cnf r,
+   /usr/share/ssl/openssl.cnf r,
+  /etc/ssl/{engdef,engines}.d/ r,
+  /etc/ssl/{engdef,engines}.d/*.cnf r,
+   @{PROC}/sys/crypto/fips_enabled r,
+ 
+