Accepting request 453151 from home:cboltz
- update to AppArmor 2.11.0 - apparmor_parser now supports parallel compiles and loads - add full support for dbus, ptrace and signal rules and events to the utils - full rewrite of the file rule handling in the utils - lots of improvements and fixes - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the detailed changelog - patches: - add sshd-profile-drop-local-include-r3615.diff to fix 'make check' - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed - refresh apparmor-abstractions-no-multiline.diff - refresh apparmor-samba-include-permissions-for-shares.diff - spec changes: - aa-unconfined switched to using ss (from iproute2), adjust Recommends: - move libapparmor to /usr/lib*/ - drop %if %suse_version checks for 12.x - change several Obsoletes from %version to < 2.9. Those package names weren't used since years, and 2.9 is still a careful choice - include apparmor.service independent of %suse_version - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires - drop latex2html, texlive-* and w3m BuildRequires - techdoc.txt and techdoc.html not included, drop them from the package - run most of utils/ make check (some tests expect /etc/apparmor.d/ and /sbin/apparmor_parser to exist, skip them) - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests) - drop sed'ing python3 into aa-* shebang (upstreamed) - build binutils - aa-exec is now written in C and lives in /usr/bin/, move it to the apparmor_parser package and create a compability symlink in /usr/sbin/ - aa-exec manpage moved to section 1 - aa-enabled is a small new tool to find out if AppArmor is enabled - package new aa_stack_profile(2) manpage OBS-URL: https://build.opensuse.org/request/show/453151 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=165
This commit is contained in:
parent
99869c0576
commit
fcc884a7e3
@ -1,39 +0,0 @@
|
|||||||
------------------------------------------------------------
|
|
||||||
revno: 3380
|
|
||||||
committer: Steve Beattie <sbeattie@ubuntu.com>
|
|
||||||
branch nick: 2.10
|
|
||||||
timestamp: Mon 2017-01-09 09:22:58 -0800
|
|
||||||
message:
|
|
||||||
Subject: utils/aa-unconfined: fix netstat invocation regression
|
|
||||||
|
|
||||||
It was reported that converting the netstat command to examine
|
|
||||||
processes bound to ipv6 addresses broke on OpenSUSE due to the version
|
|
||||||
of nettools not supporting the short -4 -6 arguments.
|
|
||||||
|
|
||||||
This patch fixes the invocation of netstat to use the "--protocol
|
|
||||||
inet,inet6" arguments instead, which should return the same results
|
|
||||||
as the short options.
|
|
||||||
|
|
||||||
Signed-off-by: Steve Beattie <steve@nxnw.org>
|
|
||||||
Acked-by: Christian Boltz <apparmor@cboltz.de>
|
|
||||||
|
|
||||||
|
|
||||||
=== modified file 'utils/aa-unconfined'
|
|
||||||
--- utils/aa-unconfined 2016-12-05 09:21:27 +0000
|
|
||||||
+++ utils/aa-unconfined 2017-01-09 17:22:58 +0000
|
|
||||||
@@ -46,10 +46,10 @@
|
|
||||||
regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)")
|
|
||||||
import subprocess
|
|
||||||
if sys.version_info < (3, 0):
|
|
||||||
- output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n")
|
|
||||||
+ output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n")
|
|
||||||
else:
|
|
||||||
#Python3 needs to translate a stream of bytes to string with specified encoding
|
|
||||||
- output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n")
|
|
||||||
+ output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n")
|
|
||||||
|
|
||||||
for line in output:
|
|
||||||
match = regex_tcp_udp.search(line)
|
|
||||||
|
|
||||||
|
|
||||||
vim:ft=diff
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:c253656820a2e6b0127af0ba8ceda36ffec1ae5c9dc0ee8793c3fe97121feac3
|
|
||||||
size 4497918
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQI3BAABCgAhBQJYcxByGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
|
|
||||||
5k49NmS7KLcQAKNtJ8N81T/oOL05bZ6M1g4kjYZ1vIyTx8tFj8iBNBnxWGrWfIMj
|
|
||||||
EJJeaGFUwbAN9LeTxlbwaGHHukLzQa4rihXPgpmQZl3tYWqwMzMtgtzbjWFIRtGA
|
|
||||||
cZunTA0i5kOm0N/IEl1hR2JbDMopPgOWEyV7lZxklKYUavo5+8jrYloXKaSzbQGi
|
|
||||||
KMIms8RF7v4ANOGoqvl6vv3y11JMvvV2VZniPf+myVDcmHjk8jzdzdGEOFRcHvoY
|
|
||||||
Zg7ZMXbPjPh1VQYbzgdpK95SEXDM9X+4fJtcL2A0ofZQrO9rmFWOrtjxSz88DgWi
|
|
||||||
qdfepwIGN7uMBLeL2UMlp8OJVOgcsjY2E9XHzVaSUJYRVuPFa/z3fKzEkMh96HQa
|
|
||||||
xYnsicuQe6HUXxbRoXd/J12Rzla1Bkkvq2NYOwmh4kpZczGGaUK17GxlUryz7C/1
|
|
||||||
VodpZd7pFzKmPuoCinKtO0VsQkDJ4qfKUiMSZOutDMR8eHyNxtVS6Qb5GycViLiF
|
|
||||||
mtHiTipqv0q1HIFZVj3bpbq8Jji9pNHJWI1pwiafYEAqh1hyfGtWGkH3muMROQgL
|
|
||||||
Qmjuoaw2x2VgPk+nnBSFwgOv4TUO/xVa95VD8HwCFjEHulpzlo8lx6k/9t5fZO6T
|
|
||||||
kaS6NBQWIQ8hunIKMifKgi+8fFk2FTaUhgZJUP91MiUm5rwPU0y48RY3
|
|
||||||
=l0m2
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
apparmor-2.11.0.tar.gz
Normal file
3
apparmor-2.11.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a
|
||||||
|
size 5013297
|
16
apparmor-2.11.0.tar.gz.asc
Normal file
16
apparmor-2.11.0.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQI3BAABCgAhBQJYcxbLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
|
||||||
|
5k49NmS7Nh4P/Rf1b8NugcYkrXBA3LMS47KF4+fig+4j4jcAsUqY+aDgj02UYcEv
|
||||||
|
S6XpbzkTJykM0CJ2BLNHHfwUpbVrUDyfABhgh/m9aH0Y52zkteVfYt9tVNxz7OaH
|
||||||
|
s4M977g5HPvlOIsS2EXyk1g0IZ8WJ830sZpOZIKpgwptgSJeHKiFQJsCINzOzv7z
|
||||||
|
MKATzhnrnvb4KBwCC3MoUHhCheGvUmQlArn4+/LwCMERHxrrSYr/kl/nDxhqE7HZ
|
||||||
|
1wdO8TdrG+R595Yc/t0OO+LOCv7TBU5K7TLiN+1wqenrEfR+9RaxpLB2N8a5+LQ0
|
||||||
|
kphfS07ht22oWhySG14WL76FrrvN0WBcRBc6hkxgbizCwb+XLLGBUfk50MIabBPu
|
||||||
|
GQJVnMtTEvlVdpvw0snG4RID8o7Tjv+2NsMi+67fR7dkksHO51jeQBlWeim1ZX+6
|
||||||
|
GZPmEtWAuF0cZybnv66sfY7qokBXUaqP6Z9wYUXOVscJTK6XEmVGXinuistR1cJa
|
||||||
|
O2e0Gji+cxBBejB7QWyHCcssXYo26rHW5kT94hcshqn0Qx1ThH+yTV+PqYiEjsNA
|
||||||
|
R1AYgDMVCltu/UwuzHmtYo2es1W9Mcsk6htKhDLmT0ze3y+0f7Y463B8afs6RzWW
|
||||||
|
W28mpt5/PPoFLkWstj+B00GnwO1x2rDbLoq+zvCD5WasZWa8uNV24nRg
|
||||||
|
=aq9P
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -35,11 +35,11 @@ Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict
|
|||||||
+ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
|
+ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
|
||||||
Index: profiles/apparmor.d/abstractions/dbus-session-strict
|
Index: profiles/apparmor.d/abstractions/dbus-session-strict
|
||||||
===================================================================
|
===================================================================
|
||||||
--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2014-10-18 13:11:18.498652324 +0200
|
--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2017-01-11 21:20:01.381935015 +0100
|
||||||
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2014-10-18 13:11:31.098494805 +0200
|
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2017-01-11 21:20:07.641905170 +0100
|
||||||
@@ -13,16 +13,9 @@
|
@@ -14,16 +14,9 @@
|
||||||
/etc/machine-id r,
|
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
owner /run/user/*/bus rw,
|
||||||
|
|
||||||
- unix (connect, receive, send)
|
- unix (connect, receive, send)
|
||||||
- type=stream
|
- type=stream
|
||||||
@ -71,92 +71,42 @@ Index: profiles/apparmor.d/abstractions/dbus-strict
|
|||||||
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||||
- peer=(name=org.freedesktop.DBus),
|
- peer=(name=org.freedesktop.DBus),
|
||||||
+ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
|
+ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
|
||||||
|
Index: profiles/apparmor.d/abstractions/fcitx-strict
|
||||||
|
===================================================================
|
||||||
|
--- profiles/apparmor.d/abstractions/fcitx-strict.orig 2017-01-11 21:44:55.726947350 +0100
|
||||||
|
+++ profiles/apparmor.d/abstractions/fcitx-strict 2017-01-11 21:45:02.830914856 +0100
|
||||||
|
@@ -11,11 +11,6 @@
|
||||||
|
|
||||||
|
#include <abstractions/dbus-session-strict>
|
||||||
|
|
||||||
|
- dbus send
|
||||||
|
- bus=fcitx
|
||||||
|
- path=/org/freedesktop/DBus
|
||||||
|
- interface=org.freedesktop.DBus
|
||||||
|
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||||
|
- peer=(name=org.freedesktop.DBus),
|
||||||
|
+ dbus send bus=fcitx path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
|
||||||
|
|
||||||
|
owner @{HOME}/.config/fcitx/dbus/* r,
|
||||||
|
Index: profiles/apparmor.d/abstractions/libpam-systemd
|
||||||
|
===================================================================
|
||||||
|
--- profiles/apparmor.d/abstractions/libpam-systemd.orig 2017-01-11 21:47:13.814315855 +0100
|
||||||
|
+++ profiles/apparmor.d/abstractions/libpam-systemd 2017-01-11 21:47:19.490289904 +0100
|
||||||
|
@@ -12,8 +12,4 @@
|
||||||
|
#include <abstractions/dbus-strict>
|
||||||
|
|
||||||
|
# libpam-systemd notifies systemd-logind about session logins/logouts
|
||||||
|
- dbus send
|
||||||
|
- bus=system
|
||||||
|
- path=/org/freedesktop/login1
|
||||||
|
- interface=org.freedesktop.login1.Manager
|
||||||
|
- member={CreateSession,ReleaseSession},
|
||||||
|
+ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession},
|
||||||
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
|
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
|
||||||
===================================================================
|
===================================================================
|
||||||
--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2014-10-18 13:11:18.497652337 +0200
|
--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2017-01-11 21:20:07.641905170 +0100
|
||||||
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2014-10-18 13:11:31.098494805 +0200
|
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2017-01-11 21:20:52.197692834 +0100
|
||||||
@@ -16,41 +16,16 @@
|
@@ -21,78 +21,37 @@
|
||||||
#include <abstractions/gnome>
|
|
||||||
|
|
||||||
# Allow connecting to session bus and where to connect to services
|
|
||||||
- dbus (send)
|
|
||||||
- bus=session
|
|
||||||
- path=/org/freedesktop/DBus
|
|
||||||
- interface=org.freedesktop.DBus
|
|
||||||
- member=Hello
|
|
||||||
- peer=(name=org.freedesktop.DBus),
|
|
||||||
- dbus (send)
|
|
||||||
- bus=session
|
|
||||||
- path=/org/freedesktop/{db,DB}us
|
|
||||||
- interface=org.freedesktop.DBus
|
|
||||||
- member={Add,Remove}Match
|
|
||||||
- peer=(name=org.freedesktop.DBus),
|
|
||||||
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
|
|
||||||
+ dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
|
|
||||||
# NameHasOwner and GetNameOwner could leak running processes and apps
|
|
||||||
# depending on how services are implemented
|
|
||||||
- dbus (send)
|
|
||||||
- bus=session
|
|
||||||
- path=/org/freedesktop/DBus
|
|
||||||
- interface=org.freedesktop.DBus
|
|
||||||
- member=GetNameOwner
|
|
||||||
- peer=(name=org.freedesktop.DBus),
|
|
||||||
- dbus (send)
|
|
||||||
- bus=session
|
|
||||||
- path=/org/freedesktop/DBus
|
|
||||||
- interface=org.freedesktop.DBus
|
|
||||||
- member=NameHasOwner
|
|
||||||
- peer=(name=org.freedesktop.DBus),
|
|
||||||
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
|
|
||||||
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
|
|
||||||
|
|
||||||
# Allow starting services on the session bus (actual communications with
|
|
||||||
# the service are mediated elsewhere)
|
|
||||||
- dbus (send)
|
|
||||||
- bus=session
|
|
||||||
- path=/org/freedesktop/DBus
|
|
||||||
- interface=org.freedesktop.DBus
|
|
||||||
- member=StartServiceByName
|
|
||||||
- peer=(name=org.freedesktop.DBus),
|
|
||||||
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus),
|
|
||||||
|
|
||||||
# Allow connecting to system bus and where to connect to services. Put these
|
|
||||||
# here so we don't need to repeat these rules in multiple places (actual
|
|
||||||
@@ -58,108 +36,47 @@
|
|
||||||
# allow apps to brute-force enumerate system services, but our system
|
|
||||||
# services aren't a secret.
|
|
||||||
/{,var/}run/dbus/system_bus_socket rw,
|
|
||||||
- dbus (send)
|
|
||||||
- bus=system
|
|
||||||
- path=/org/freedesktop/DBus
|
|
||||||
- interface=org.freedesktop.DBus
|
|
||||||
- member=Hello
|
|
||||||
- peer=(name=org.freedesktop.DBus),
|
|
||||||
- dbus (send)
|
|
||||||
- bus=system
|
|
||||||
- path=/org/freedesktop/{db,DB}us
|
|
||||||
- interface=org.freedesktop.DBus
|
|
||||||
- member={Add,Remove}Match
|
|
||||||
- peer=(name=org.freedesktop.DBus),
|
|
||||||
+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
|
|
||||||
+ dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
|
|
||||||
# NameHasOwner and GetNameOwner could leak running processes and apps
|
|
||||||
# depending on how services are implemented
|
|
||||||
- dbus (send)
|
|
||||||
- bus=system
|
|
||||||
- path=/org/freedesktop/DBus
|
|
||||||
- interface=org.freedesktop.DBus
|
|
||||||
- member=GetNameOwner
|
|
||||||
- peer=(name=org.freedesktop.DBus),
|
|
||||||
- dbus (send)
|
|
||||||
- bus=system
|
|
||||||
- path=/org/freedesktop/DBus
|
|
||||||
- interface=org.freedesktop.DBus
|
|
||||||
- member=NameHasOwner
|
|
||||||
- peer=(name=org.freedesktop.DBus),
|
|
||||||
+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
|
|
||||||
+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Access required for connecting to/communication with Unity HUD
|
# Access required for connecting to/communication with Unity HUD
|
||||||
#
|
#
|
||||||
@ -282,7 +232,7 @@ Index: profiles/apparmor.d/abstractions/gnome
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200
|
--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200
|
||||||
+++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200
|
+++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200
|
||||||
@@ -91,6 +91,4 @@
|
@@ -93,6 +93,4 @@
|
||||||
|
|
||||||
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
|
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
|
||||||
# rules)
|
# rules)
|
||||||
|
@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
|
|||||||
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
|
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
|
||||||
--- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000
|
--- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000
|
||||||
+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000
|
+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000
|
||||||
@@ -47,6 +47,10 @@
|
@@ -53,6 +53,10 @@
|
||||||
|
|
||||||
@{HOMEDIRS}/** lrwk,
|
@{HOMEDIRS}/** lrwk,
|
||||||
|
|
||||||
|
@ -1,3 +1,40 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 27 20:08:03 UTC 2017 - suse-beta@cboltz.de
|
||||||
|
|
||||||
|
- update to AppArmor 2.11.0
|
||||||
|
- apparmor_parser now supports parallel compiles and loads
|
||||||
|
- add full support for dbus, ptrace and signal rules and events to the
|
||||||
|
utils
|
||||||
|
- full rewrite of the file rule handling in the utils
|
||||||
|
- lots of improvements and fixes
|
||||||
|
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the
|
||||||
|
detailed changelog
|
||||||
|
- patches:
|
||||||
|
- add sshd-profile-drop-local-include-r3615.diff to fix 'make check'
|
||||||
|
- drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed
|
||||||
|
- refresh apparmor-abstractions-no-multiline.diff
|
||||||
|
- refresh apparmor-samba-include-permissions-for-shares.diff
|
||||||
|
- spec changes:
|
||||||
|
- aa-unconfined switched to using ss (from iproute2), adjust Recommends:
|
||||||
|
- move libapparmor to /usr/lib*/
|
||||||
|
- drop %if %suse_version checks for 12.x
|
||||||
|
- change several Obsoletes from %version to < 2.9. Those package names
|
||||||
|
weren't used since years, and 2.9 is still a careful choice
|
||||||
|
- include apparmor.service independent of %suse_version
|
||||||
|
- techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires
|
||||||
|
- drop latex2html, texlive-* and w3m BuildRequires
|
||||||
|
- techdoc.txt and techdoc.html not included, drop them from the package
|
||||||
|
- run most of utils/ make check (some tests expect /etc/apparmor.d/ and
|
||||||
|
/sbin/apparmor_parser to exist, skip them)
|
||||||
|
- BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests)
|
||||||
|
- drop sed'ing python3 into aa-* shebang (upstreamed)
|
||||||
|
- build binutils
|
||||||
|
- aa-exec is now written in C and lives in /usr/bin/, move it to the
|
||||||
|
apparmor_parser package and create a compability symlink in /usr/sbin/
|
||||||
|
- aa-exec manpage moved to section 1
|
||||||
|
- aa-enabled is a small new tool to find out if AppArmor is enabled
|
||||||
|
- package new aa_stack_profile(2) manpage
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de
|
Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de
|
||||||
|
|
||||||
|
158
apparmor.spec
158
apparmor.spec
@ -24,23 +24,9 @@
|
|||||||
%bcond_without pam
|
%bcond_without pam
|
||||||
%bcond_without apache
|
%bcond_without apache
|
||||||
%bcond_without perl
|
%bcond_without perl
|
||||||
%if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210
|
%bcond_with python
|
||||||
# disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch
|
%bcond_without python3
|
||||||
%bcond_with python
|
%bcond_without ruby
|
||||||
%bcond_with python3
|
|
||||||
%bcond_with ruby
|
|
||||||
%else
|
|
||||||
%if 0%{?suse_version} == 1220
|
|
||||||
# swig for python3 is broken on 12.2 - probably http://sourceforge.net/p/swig/bugs/1257/ - build python2 bindings instead
|
|
||||||
%bcond_without python
|
|
||||||
%bcond_with python3
|
|
||||||
%bcond_without ruby
|
|
||||||
%else
|
|
||||||
%bcond_with python
|
|
||||||
%bcond_without python3
|
|
||||||
%bcond_without ruby
|
|
||||||
%endif
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%define CATALINA_HOME /usr/share/tomcat6
|
%define CATALINA_HOME /usr/share/tomcat6
|
||||||
#define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
|
#define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
|
||||||
@ -60,11 +46,12 @@ Name: apparmor
|
|||||||
%if ! %{?distro:1}0
|
%if ! %{?distro:1}0
|
||||||
%define distro suse
|
%define distro suse
|
||||||
%endif
|
%endif
|
||||||
Version: 2.10.2
|
Version: 2.11.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: AppArmor userlevel parser utility
|
Summary: AppArmor userlevel parser utility
|
||||||
License: GPL-2.0+
|
License: GPL-2.0+
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
|
Url: https://launchpad.net/apparmor
|
||||||
Source0: apparmor-%{version}.tar.gz
|
Source0: apparmor-%{version}.tar.gz
|
||||||
Source1: apparmor-%{version}.tar.gz.asc
|
Source1: apparmor-%{version}.tar.gz.asc
|
||||||
Source2: %{name}.keyring
|
Source2: %{name}.keyring
|
||||||
@ -82,9 +69,6 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff
|
|||||||
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
|
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
|
||||||
Patch3: apparmor-utils-string-split
|
Patch3: apparmor-utils-string-split
|
||||||
|
|
||||||
# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380)
|
|
||||||
Patch4: aa-unconfined-fix-netstat-call-2.10r3380.diff
|
|
||||||
|
|
||||||
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
|
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
|
||||||
Patch5: ruby-2_0-mkmf-destdir.patch
|
Patch5: ruby-2_0-mkmf-destdir.patch
|
||||||
|
|
||||||
@ -95,7 +79,9 @@ Patch6: apparmor-abstractions-no-multiline.diff
|
|||||||
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
|
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
|
||||||
Patch7: apparmor-lessopen-profile.patch
|
Patch7: apparmor-lessopen-profile.patch
|
||||||
|
|
||||||
Url: https://launchpad.net/apparmor
|
# drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615)
|
||||||
|
Patch8: sshd-profile-drop-local-include-r3615.diff
|
||||||
|
|
||||||
PreReq: sed
|
PreReq: sed
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
%if %{distro} == "suse"
|
%if %{distro} == "suse"
|
||||||
@ -104,19 +90,14 @@ PreReq: aaa_base
|
|||||||
%endif
|
%endif
|
||||||
%define apparmor_bin_prefix /lib/apparmor
|
%define apparmor_bin_prefix /lib/apparmor
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
|
BuildRequires: dejagnu
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: latex2html
|
|
||||||
BuildRequires: pcre-devel
|
BuildRequires: pcre-devel
|
||||||
BuildRequires: pkg-config
|
BuildRequires: pkg-config
|
||||||
BuildRequires: python
|
BuildRequires: python
|
||||||
|
BuildRequires: python3-pyflakes
|
||||||
BuildRequires: perl(Locale::gettext)
|
BuildRequires: perl(Locale::gettext)
|
||||||
%if 0%{?suse_version} > 1220
|
|
||||||
BuildRequires: texlive-amsfonts
|
|
||||||
BuildRequires: texlive-cm-super
|
|
||||||
%endif
|
|
||||||
BuildRequires: texlive-latex
|
|
||||||
BuildRequires: w3m
|
|
||||||
|
|
||||||
BuildRequires: swig
|
BuildRequires: swig
|
||||||
|
|
||||||
@ -149,12 +130,12 @@ BuildRequires: tomcat6
|
|||||||
Summary: AppArmor userlevel parser utility
|
Summary: AppArmor userlevel parser utility
|
||||||
License: GPL-2.0+
|
License: GPL-2.0+
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Obsoletes: libimnxcert < %{version}
|
Obsoletes: libimnxcert < 2.9
|
||||||
Obsoletes: subdomain-leaf-cert < %{version}
|
Obsoletes: subdomain-leaf-cert < 2.9
|
||||||
Obsoletes: subdomain-parser < %{version}
|
Obsoletes: subdomain-parser < 2.9
|
||||||
Obsoletes: subdomain-parser-common < %{version}
|
Obsoletes: subdomain-parser-common < 2.9
|
||||||
Obsoletes: subdomain-parser-demo < %{version}
|
Obsoletes: subdomain-parser-demo < 2.9
|
||||||
Obsoletes: subdomain_parser < %{version}
|
Obsoletes: subdomain_parser < 2.9
|
||||||
Provides: libimnxcert = %{version}
|
Provides: libimnxcert = %{version}
|
||||||
Provides: subdomain-leaf-cert = %{version}
|
Provides: subdomain-leaf-cert = %{version}
|
||||||
Provides: subdomain-parser = %{version}
|
Provides: subdomain-parser = %{version}
|
||||||
@ -166,10 +147,8 @@ Provides: apparmor-parser(CAP_SYSLOG)
|
|||||||
# initscript needs /lib/lsb/init-functions from insserv/insserv-compat
|
# initscript needs /lib/lsb/init-functions from insserv/insserv-compat
|
||||||
Requires: insserv
|
Requires: insserv
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1320
|
|
||||||
BuildRequires: systemd-rpm-macros
|
BuildRequires: systemd-rpm-macros
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
%endif
|
|
||||||
|
|
||||||
%description parser
|
%description parser
|
||||||
The AppArmor Parser is a userlevel program that is used to load in
|
The AppArmor Parser is a userlevel program that is used to load in
|
||||||
@ -214,13 +193,11 @@ Summary: Utility library for AppArmor
|
|||||||
License: LGPL-2.1+
|
License: LGPL-2.1+
|
||||||
Group: Development/Libraries/C and C++
|
Group: Development/Libraries/C and C++
|
||||||
%ifarch ppc64
|
%ifarch ppc64
|
||||||
Obsoletes: libapparmor-64bit < %{version}
|
Obsoletes: libapparmor-64bit < 2.9
|
||||||
Provides: libapparmor-64bit = %{version}
|
Provides: libapparmor-64bit = %{version}
|
||||||
%endif
|
%endif
|
||||||
Provides: libapparmor = %{version}
|
Provides: libapparmor = %{version}
|
||||||
#Provides: libimmunix = %{version}
|
Obsoletes: libapparmor < 2.9
|
||||||
Obsoletes: libapparmor < %{version}
|
|
||||||
#Obsoletes: libimmunix < %{version}
|
|
||||||
|
|
||||||
%description -n libapparmor1
|
%description -n libapparmor1
|
||||||
This package provides the libapparmor library, which contains the
|
This package provides the libapparmor library, which contains the
|
||||||
@ -338,7 +315,7 @@ License: GPL-2.0 and LGPL-2.1+
|
|||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
Requires: apparmor-abstractions >= %{version}
|
Requires: apparmor-abstractions >= %{version}
|
||||||
Requires: apparmor-parser(CAP_SYSLOG)
|
Requires: apparmor-parser(CAP_SYSLOG)
|
||||||
Obsoletes: subdomain-profiles < %{version}
|
Obsoletes: subdomain-profiles < 2.9
|
||||||
Provides: subdomain-profiles = %{version}
|
Provides: subdomain-profiles = %{version}
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
@ -356,7 +333,7 @@ Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profi
|
|||||||
License: GPL-2.0 and LGPL-2.1+
|
License: GPL-2.0 and LGPL-2.1+
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
Requires: libapparmor1 = %{version}
|
Requires: libapparmor1 = %{version}
|
||||||
# some of the tools are still perl-based (aa-decode, aa-exec and aa-notify)
|
# some of the tools are still perl-based (aa-decode and aa-notify)
|
||||||
Requires: perl = %{perl_version}
|
Requires: perl = %{perl_version}
|
||||||
Requires: perl-apparmor = %{version}
|
Requires: perl-apparmor = %{version}
|
||||||
%if %{with python3}
|
%if %{with python3}
|
||||||
@ -366,12 +343,8 @@ Requires: python3-base
|
|||||||
Requires: python-apparmor = %{version}
|
Requires: python-apparmor = %{version}
|
||||||
Requires: python-base
|
Requires: python-base
|
||||||
%endif
|
%endif
|
||||||
# aa-unconfined needs netstat
|
# aa-unconfined needs ss
|
||||||
%if 0%{?suse_version} > 1320
|
Recommends: iproute2
|
||||||
Recommends: net-tools-deprecated
|
|
||||||
%else
|
|
||||||
Recommends: net-tools
|
|
||||||
%endif
|
|
||||||
# aa-notify -p needs notify-send
|
# aa-notify -p needs notify-send
|
||||||
Recommends: libnotify-tools
|
Recommends: libnotify-tools
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
@ -435,27 +408,19 @@ SubDomain.
|
|||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2
|
%patch2
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4
|
|
||||||
|
|
||||||
# Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
|
# Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
|
||||||
%if 0%{?suse_version} > 1230
|
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%endif
|
|
||||||
|
|
||||||
%patch6
|
%patch6
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
|
%patch8
|
||||||
|
|
||||||
# search for left-over multiline rules
|
# search for left-over multiline rules
|
||||||
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
||||||
|
|
||||||
%build
|
%build
|
||||||
echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1
|
|
||||||
|
|
||||||
export SUSE_ASNEEDED=0
|
export SUSE_ASNEEDED=0
|
||||||
# re-define _libdir to /lib or /lib64
|
|
||||||
%define _libdir /%{_lib}
|
|
||||||
|
|
||||||
echo new _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1
|
|
||||||
|
|
||||||
%if %{with python3}
|
%if %{with python3}
|
||||||
export PYTHON=/usr/bin/python3
|
export PYTHON=/usr/bin/python3
|
||||||
@ -485,6 +450,9 @@ export PYTHON=/usr/bin/python3
|
|||||||
# Utilities:
|
# Utilities:
|
||||||
make -C utils
|
make -C utils
|
||||||
|
|
||||||
|
# binutils
|
||||||
|
make -C binutils
|
||||||
|
|
||||||
# deprecated/utils (perl modules still needed by YaST)
|
# deprecated/utils (perl modules still needed by YaST)
|
||||||
%if %{with perl}
|
%if %{with perl}
|
||||||
make -C deprecated/utils
|
make -C deprecated/utils
|
||||||
@ -492,8 +460,6 @@ make -C deprecated/utils
|
|||||||
|
|
||||||
# parser:
|
# parser:
|
||||||
make -C parser V=1
|
make -C parser V=1
|
||||||
# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough
|
|
||||||
make -C parser V=1 techdoc.txt
|
|
||||||
|
|
||||||
# Apache mod_apparmor:
|
# Apache mod_apparmor:
|
||||||
%if %{with apache}
|
%if %{with apache}
|
||||||
@ -508,8 +474,6 @@ make -C parser V=1 techdoc.txt
|
|||||||
# Profiles:
|
# Profiles:
|
||||||
make -C profiles
|
make -C profiles
|
||||||
|
|
||||||
##configure --disable-static --with-pic \
|
|
||||||
#--with-perl \
|
|
||||||
%if %{with tomcat}
|
%if %{with tomcat}
|
||||||
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
|
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
|
||||||
%endif
|
%endif
|
||||||
@ -522,11 +486,24 @@ export PYTHON_VERSIONS=python3
|
|||||||
|
|
||||||
make check -C libraries/libapparmor
|
make check -C libraries/libapparmor
|
||||||
make check -C parser
|
make check -C parser
|
||||||
|
make check -C binutils
|
||||||
|
|
||||||
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
|
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
|
||||||
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
|
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
|
||||||
(cd profiles && make check-parser)
|
(cd profiles && make check-parser)
|
||||||
# utils make check fails if profiles don't exist in /etc/apparmor.d/
|
|
||||||
# make check -C utils
|
# these tests fail if /etc/apparmor.d/abstractions/* or /sbin/apparmor_parser don't exist
|
||||||
|
# (aa.py doesn't allow to inject in-tree paths early enough)
|
||||||
|
rm -v utils/test/test-aa.py
|
||||||
|
rm -v utils/test/test-aa-easyprof.py
|
||||||
|
rm -v utils/test/test-libapparmor-test_multi.py
|
||||||
|
rm -v utils/test/test-mount_parse.py
|
||||||
|
rm -v utils/test/test-parser-simple-tests.py
|
||||||
|
rm -v utils/test/test-pivot_root_parse.py
|
||||||
|
rm -v utils/test/test-regex_matches.py
|
||||||
|
rm -v utils/test/test-unix_parse.py
|
||||||
|
|
||||||
|
make check -C utils
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
|
||||||
@ -535,8 +512,7 @@ export PYTHON=/usr/bin/python3
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
# libapparmor
|
# libapparmor
|
||||||
# override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0
|
%makeinstall -C libraries/libapparmor
|
||||||
%makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/
|
|
||||||
# create symlink for old change_hat(2) manpage
|
# create symlink for old change_hat(2) manpage
|
||||||
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
|
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
|
||||||
|
|
||||||
@ -544,12 +520,10 @@ export PYTHON=/usr/bin/python3
|
|||||||
%makeinstall -C utils
|
%makeinstall -C utils
|
||||||
test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568
|
test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568
|
||||||
mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
|
mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
|
||||||
%if %{with python3}
|
|
||||||
# enforce usage of python3
|
# binutils
|
||||||
for file in %{buildroot}/%{_sbindir}/aa-* ; do
|
%makeinstall -C binutils
|
||||||
sed -i '1s,^#! /usr/bin/env python$,#! /usr/bin/env python3,' "$file"
|
( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec )
|
||||||
done
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# deprecated/utils (perl modules still needed by YaST)
|
# deprecated/utils (perl modules still needed by YaST)
|
||||||
%if %{with perl}
|
%if %{with perl}
|
||||||
@ -569,7 +543,7 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with pam}
|
%if %{with pam}
|
||||||
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security
|
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}/%{_lib}/security
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with tomcat}
|
%if %{with tomcat}
|
||||||
@ -577,8 +551,8 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
|
|||||||
%makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
|
%makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
find %{buildroot} -name .packlist -exec rm -f {} \;
|
find %{buildroot} -name .packlist -exec rm -vf {} \;
|
||||||
find %{buildroot} -name perllocal.pod -exec rm -f {} \;
|
find %{buildroot} -name perllocal.pod -exec rm -vf {} \;
|
||||||
|
|
||||||
# Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm].
|
# Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm].
|
||||||
# Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix
|
# Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix
|
||||||
@ -587,7 +561,7 @@ for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
|
|||||||
f=$(basename $file)
|
f=$(basename $file)
|
||||||
case "${f#aa-}" in
|
case "${f#aa-}" in
|
||||||
audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \
|
audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \
|
||||||
audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.8* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
|
audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
|
||||||
if [ "${f#aa-}" != "$f" ]; then
|
if [ "${f#aa-}" != "$f" ]; then
|
||||||
ln -s $f $d/${f#aa-}
|
ln -s $f $d/${f#aa-}
|
||||||
fi
|
fi
|
||||||
@ -599,16 +573,14 @@ mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
|
|||||||
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
|
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
|
||||||
rm -f %{buildroot}%{_mandir}/man8/decode.8
|
rm -f %{buildroot}%{_mandir}/man8/decode.8
|
||||||
|
|
||||||
for pkg in apparmor-utils apparmor-parser; do
|
for pkg in apparmor-utils apparmor-parser aa-binutils; do
|
||||||
%find_lang $pkg
|
%find_lang $pkg
|
||||||
done
|
done
|
||||||
|
|
||||||
# remove *.la files
|
# remove *.la files
|
||||||
rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1320
|
|
||||||
install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
|
install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
|
||||||
%endif
|
|
||||||
|
|
||||||
echo -------------------------------------------------------------------
|
echo -------------------------------------------------------------------
|
||||||
#find -ls
|
#find -ls
|
||||||
@ -621,7 +593,7 @@ echo -------------------------------------------------------------------
|
|||||||
%doc parser/*.[1-9].html
|
%doc parser/*.[1-9].html
|
||||||
%doc utils/vim/apparmor.vim.5.html
|
%doc utils/vim/apparmor.vim.5.html
|
||||||
%doc common/apparmor.css
|
%doc common/apparmor.css
|
||||||
%doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt
|
%doc parser/techdoc.pdf
|
||||||
# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
|
# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
|
||||||
%dir %{_datadir}/apparmor
|
%dir %{_datadir}/apparmor
|
||||||
%{_datadir}/apparmor/apparmor.vim
|
%{_datadir}/apparmor/apparmor.vim
|
||||||
@ -630,6 +602,8 @@ echo -------------------------------------------------------------------
|
|||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%doc parser/README parser/COPYING.GPL
|
%doc parser/README parser/COPYING.GPL
|
||||||
/sbin/apparmor_parser
|
/sbin/apparmor_parser
|
||||||
|
%{_bindir}/aa-enabled
|
||||||
|
%{_bindir}/aa-exec
|
||||||
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
|
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
|
||||||
%dir %{_sysconfdir}/apparmor.d
|
%dir %{_sysconfdir}/apparmor.d
|
||||||
%{_sysconfdir}/apparmor.d/cache
|
%{_sysconfdir}/apparmor.d/cache
|
||||||
@ -640,14 +614,15 @@ echo -------------------------------------------------------------------
|
|||||||
%else
|
%else
|
||||||
%{_sysconfdir}/init.d/apparmor
|
%{_sysconfdir}/init.d/apparmor
|
||||||
%endif
|
%endif
|
||||||
%if 0%{?suse_version} > 1320
|
|
||||||
%{_unitdir}/apparmor.service
|
%{_unitdir}/apparmor.service
|
||||||
%endif
|
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
|
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
|
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
|
||||||
%{_localstatedir}/lib/apparmor
|
%{_localstatedir}/lib/apparmor
|
||||||
%dir %attr(-, root, root) %{apparmor_bin_prefix}
|
%dir %attr(-, root, root) %{apparmor_bin_prefix}
|
||||||
%{apparmor_bin_prefix}/rc.apparmor.functions
|
%{apparmor_bin_prefix}/rc.apparmor.functions
|
||||||
|
%doc %{_mandir}/man1/aa-enabled.1.gz
|
||||||
|
%doc %{_mandir}/man1/aa-exec.1.gz
|
||||||
|
%doc %{_mandir}/man1/exec.1.gz
|
||||||
%doc %{_mandir}/man5/apparmor.d.5.gz
|
%doc %{_mandir}/man5/apparmor.d.5.gz
|
||||||
%doc %{_mandir}/man5/apparmor.vim.5.gz
|
%doc %{_mandir}/man5/apparmor.vim.5.gz
|
||||||
%doc %{_mandir}/man5/subdomain.conf.5.gz
|
%doc %{_mandir}/man5/subdomain.conf.5.gz
|
||||||
@ -658,11 +633,10 @@ echo -------------------------------------------------------------------
|
|||||||
if [ -f %{_sysconfdir}/init.d/subdomain ] ; then
|
if [ -f %{_sysconfdir}/init.d/subdomain ] ; then
|
||||||
chkconfig --del subdomain
|
chkconfig --del subdomain
|
||||||
fi
|
fi
|
||||||
%if 0%{?suse_version} > 1320
|
|
||||||
%service_add_pre apparmor.service
|
%service_add_pre apparmor.service
|
||||||
%endif
|
|
||||||
|
|
||||||
%files parser-lang -f apparmor-parser.lang
|
%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang
|
||||||
|
%defattr(-,root,root)
|
||||||
|
|
||||||
%files -n libapparmor1
|
%files -n libapparmor1
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
@ -672,8 +646,10 @@ fi
|
|||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%{_libdir}/libapparmor.a
|
%{_libdir}/libapparmor.a
|
||||||
%{_libdir}/libapparmor.so
|
%{_libdir}/libapparmor.so
|
||||||
/usr/%{_lib}/pkgconfig/libapparmor.pc
|
%{_libdir}/pkgconfig/libapparmor.pc
|
||||||
%doc %{_mandir}/man2/aa_change_hat.2.gz
|
%doc %{_mandir}/man2/aa_change_hat.2.gz
|
||||||
|
%doc %{_mandir}/man2/aa_change_profile.2.gz
|
||||||
|
%doc %{_mandir}/man2/aa_stack_profile.2.gz
|
||||||
%doc %{_mandir}/man2/change_hat.2.gz
|
%doc %{_mandir}/man2/change_hat.2.gz
|
||||||
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
|
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
|
||||||
%doc %{_mandir}/man2/aa_getcon.2.gz
|
%doc %{_mandir}/man2/aa_getcon.2.gz
|
||||||
@ -732,7 +708,6 @@ fi
|
|||||||
%dir %{_datadir}/apparmor
|
%dir %{_datadir}/apparmor
|
||||||
%{_datadir}/apparmor/easyprof/
|
%{_datadir}/apparmor/easyprof/
|
||||||
%dir %{_localstatedir}/log/apparmor
|
%dir %{_localstatedir}/log/apparmor
|
||||||
%doc %{_mandir}/man2/aa_change_profile.2.gz
|
|
||||||
%doc %{_mandir}/man5/logprof.conf.5.gz
|
%doc %{_mandir}/man5/logprof.conf.5.gz
|
||||||
%doc %{_mandir}/man8/apparmor_notify.8.gz
|
%doc %{_mandir}/man8/apparmor_notify.8.gz
|
||||||
%doc %{_mandir}/man8/aa-*.gz
|
%doc %{_mandir}/man8/aa-*.gz
|
||||||
@ -743,7 +718,6 @@ fi
|
|||||||
%doc %{_mandir}/man8/disable.8.gz
|
%doc %{_mandir}/man8/disable.8.gz
|
||||||
%doc %{_mandir}/man8/easyprof.8.gz
|
%doc %{_mandir}/man8/easyprof.8.gz
|
||||||
%doc %{_mandir}/man8/enforce.8.gz
|
%doc %{_mandir}/man8/enforce.8.gz
|
||||||
%doc %{_mandir}/man8/exec.8.gz
|
|
||||||
%doc %{_mandir}/man8/genprof.8.gz
|
%doc %{_mandir}/man8/genprof.8.gz
|
||||||
%doc %{_mandir}/man8/logprof.8.gz
|
%doc %{_mandir}/man8/logprof.8.gz
|
||||||
%doc %{_mandir}/man8/unconfined.8.gz
|
%doc %{_mandir}/man8/unconfined.8.gz
|
||||||
@ -800,7 +774,7 @@ fi
|
|||||||
|
|
||||||
%files -n pam_apparmor
|
%files -n pam_apparmor
|
||||||
%defattr(444,root,root,755)
|
%defattr(444,root,root,755)
|
||||||
%attr(555,root,root) %{_libdir}/security/pam_apparmor.so
|
%attr(555,root,root) /%{_lib}/security/pam_apparmor.so
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with tomcat}
|
%if %{with tomcat}
|
||||||
@ -853,9 +827,7 @@ fi
|
|||||||
fi
|
fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1320
|
|
||||||
%service_add_post apparmor.service
|
%service_add_post apparmor.service
|
||||||
%endif
|
|
||||||
|
|
||||||
%preun parser
|
%preun parser
|
||||||
if [ "$1" = 0 ] ; then
|
if [ "$1" = 0 ] ; then
|
||||||
@ -867,9 +839,7 @@ if [ "$1" = 0 ] ; then
|
|||||||
%endif
|
%endif
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1320
|
|
||||||
%service_del_preun apparmor.service
|
%service_del_preun apparmor.service
|
||||||
%endif
|
|
||||||
|
|
||||||
%postun parser
|
%postun parser
|
||||||
%if %{distro} == "suse"
|
%if %{distro} == "suse"
|
||||||
@ -885,11 +855,9 @@ fi
|
|||||||
%{insserv_cleanup} || true
|
%{insserv_cleanup} || true
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1320
|
|
||||||
# don't call try-restart, see bnc#853019
|
# don't call try-restart, see bnc#853019
|
||||||
export DISABLE_RESTART_ON_UPDATE="yes"
|
export DISABLE_RESTART_ON_UPDATE="yes"
|
||||||
%service_del_postun apparmor.service
|
%service_del_postun apparmor.service
|
||||||
%endif
|
|
||||||
|
|
||||||
%post abstractions
|
%post abstractions
|
||||||
%if %{distro} == "suse"
|
%if %{distro} == "suse"
|
||||||
|
30
sshd-profile-drop-local-include-r3615.diff
Normal file
30
sshd-profile-drop-local-include-r3615.diff
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
------------------------------------------------------------
|
||||||
|
revno: 3615
|
||||||
|
committer: Christian Boltz <apparmor@cboltz.de>
|
||||||
|
branch nick: apparmor
|
||||||
|
timestamp: Thu 2017-01-12 22:01:11 +0100
|
||||||
|
message:
|
||||||
|
sshd profile: drop local/ include
|
||||||
|
|
||||||
|
The local/ include in the sshd profile in extras causes some trouble:
|
||||||
|
- it breaks "make check" because the parser can't find the local/ file
|
||||||
|
- it results in a broken profile if someone uses this profile as
|
||||||
|
starting point, but doesn't notice it needs the local include
|
||||||
|
|
||||||
|
|
||||||
|
Acked-by: Steve Beattie <steve@nxnw.org>
|
||||||
|
|
||||||
|
|
||||||
|
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
|
||||||
|
--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-12-07 19:00:06 +0000
|
||||||
|
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2017-01-12 21:01:11 +0000
|
||||||
|
@@ -140,5 +140,5 @@
|
||||||
|
/usr/lib/openssh/sftp-server PUx,
|
||||||
|
|
||||||
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
|
- #include <local/usr.sbin.sshd>
|
||||||
|
+ ## include <local/usr.sbin.sshd>
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
vim:ft=diff
|
Loading…
Reference in New Issue
Block a user