# # spec file for package apparmor # # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2011-2017 Christian Boltz # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # warning - confusing syntax ahead ;-) # bcond_with means "disable" # bcond_without means "enable" %bcond_with tomcat %bcond_without pam %bcond_without apache %bcond_without perl %bcond_with python %bcond_without python3 %bcond_without ruby %define CATALINA_HOME /usr/share/tomcat6 #define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/ #define JNI_SO libJNIChangeHat.so %define JAR_FILE changeHatValve.jar %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) Name: apparmor Version: 2.11.0 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ Group: Productivity/Networking/Security Url: https://launchpad.net/apparmor Source0: apparmor-%{version}.tar.gz Source1: apparmor-%{version}.tar.gz.asc Source2: %{name}.keyring Source5: update-trans.sh Source6: baselibs.conf Source7: apparmor-rpmlintrc Source8: apparmor.service Source9: apparmor.systemd # enable caching of profiles (= massive performance speedup when loading profiles) Patch1: apparmor-enable-profile-cache.diff # include autogenerated profile sniplet for samba shares (bnc#688040) Patch2: apparmor-samba-include-permissions-for-shares.diff # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch3: apparmor-utils-string-split # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de Patch5: ruby-2_0-mkmf-destdir.patch # change multiline rules in abstractions to one line - needed because YaST still uses the perl module, which doesn't support multiline rules # (bnc#900013, not for upstream) Patch6: apparmor-abstractions-no-multiline.diff # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch # drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615) Patch8: sshd-profile-drop-local-include-r3615.diff # upstream changes (trunk r3616..3628) Patch9: upstream-changes-r3616..3628.diff # upstream changes (trunk r3629..3648) Patch10: upstream-changes-r3629..3648.diff # add some exceptions to utils/test/test-parser-simple-tests.py (submitted upstream 2017-03-25) Patch11: parser-tests-dbus-duplicated-conditionals.diff PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix /lib/apparmor BuildRequires: bison BuildRequires: dejagnu BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: pcre-devel BuildRequires: pkg-config BuildRequires: python BuildRequires: python3-pyflakes BuildRequires: perl(Locale::gettext) BuildRequires: swig %if %{with python} BuildRequires: python-devel BuildRequires: swig %endif %if %{with python3} BuildRequires: python3-devel BuildRequires: swig %endif %if %{with ruby} BuildRequires: ruby-devel BuildRequires: swig %endif %if %{with apache} BuildRequires: apache2-devel %endif %if %{with tomcat} BuildRequires: ant BuildRequires: java-devel >= 1.6.0 BuildRequires: tomcat6 %endif %package parser Summary: AppArmor userlevel parser utility License: GPL-2.0+ Group: Productivity/Networking/Security Obsoletes: libimnxcert < 2.9 Obsoletes: subdomain-leaf-cert < 2.9 Obsoletes: subdomain-parser < 2.9 Obsoletes: subdomain-parser-common < 2.9 Obsoletes: subdomain-parser-demo < 2.9 Obsoletes: subdomain_parser < 2.9 Provides: libimnxcert = %{version} Provides: subdomain-leaf-cert = %{version} Provides: subdomain-parser = %{version} Provides: subdomain-parser-common = %{version} Provides: subdomain-parser-demo = %{version} Provides: subdomain_parser = %{version} Provides: apparmor-parser(CAP_SYSLOG) BuildRequires: systemd-rpm-macros %{?systemd_requires} %description parser The AppArmor Parser is a userlevel program that is used to load in program profiles to the AppArmor Security kernel module. This package is part of a suite of tools that used to be named SubDomain. %package docs Summary: AppArmor Documentation package License: GPL-2.0+ Group: Documentation/Other BuildArch: noarch %description docs This package contains documentation for AppArmor. This package is part of a suite of tools that used to be named SubDomain. %if %{with apache} %package -n apache2-mod_apparmor Summary: AppArmor module for apache2 License: GPL-2.0+ Group: Productivity/Security %description -n apache2-mod_apparmor apache2-modapparmor adds support to apache2 to provide AppArmor confinement to individual cgi scripts handled by apache modules like mod_php and mod_perl. This package is part of a suite of tools that used to be named SubDomain. The documentation is in the apparmor-admin_en package. %endif %if %{with perl} %package -n perl-apparmor Summary: Perl interface for libapparmor functions License: GPL-2.0 and LGPL-2.1+ Group: Development/Libraries/Perl Requires: libapparmor1 = %{version} Requires: perl = %{perl_version} Requires: perl(DBD::SQLite) Requires: perl(Locale::gettext) Requires: perl(RPC::XML) Requires: perl(RPC::XML) Requires: perl(Term::ReadKey) Requires: perl(Term::ReadKey) Provides: perl-libapparmor = %{version} Obsoletes: perl-libapparmor < 2.5 %description -n perl-apparmor This package provides the perl interface to AppArmor. It is used for perl applications interfacing with AppArmor, including the AppArmor utilities. %endif %if %{with python} %package -n python-apparmor Summary: Python 2 interface for libapparmor functions License: GPL-2.0 and LGPL-2.1+ Group: Development/Libraries/Python BuildRequires: python Requires: libapparmor1 = %{version} Requires: python = %{python_version} Provides: python-libapparmor = %{version} Obsoletes: python-libapparmor < 2.5 %description -n python-apparmor This package provides the python interface to AppArmor. It is used for python applications interfacing with AppArmor. %endif %if %{with python3} %package -n python3-apparmor Summary: Python 3 interface for libapparmor functions License: GPL-2.0 and LGPL-2.1+ Group: Development/Libraries/Python Requires: libapparmor1 = %{version} Requires: python3 = %{py3_ver} Requires: python(abi) = %{py3_ver} Provides: python-libapparmor = %{version} %description -n python3-apparmor This package provides the python interface to AppArmor. It is used for python applications interfacing with AppArmor. %endif %if %{with ruby} %package -n ruby-apparmor Summary: Ruby interface for libapparmor functions License: GPL-2.0 and LGPL-2.1+ Group: Development/Languages/Ruby Requires: libapparmor1 = %{version} Requires: ruby = %(rpm -q --qf '%%{version}' ruby) Provides: ruby-libapparmor = %{version} Obsoletes: ruby-libapparmor < 2.5 %description -n ruby-apparmor This package provides the ruby interface to AppArmor. It is used for ruby applications interfacing with AppArmor. %endif %package abstractions Summary: AppArmor abstractions and directory structure License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security Requires: apparmor-parser(CAP_SYSLOG) BuildArch: noarch %description abstractions AppArmor abstractions (common parts used in various profiles) and the /etc/apparmor.d/ directory structure. AppArmor is a file and network mandatory access control mechanism. AppArmor confines processes to the resources allowed by the systems administrator and can constrain the scope of potential security vulnerabilities. This package is part of a suite of tools that used to be named SubDomain. %package profiles Summary: AppArmor profiles that are loaded into the apparmor kernel module License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security Requires: apparmor-abstractions >= %{version} Requires: apparmor-parser(CAP_SYSLOG) Obsoletes: subdomain-profiles < 2.9 Provides: subdomain-profiles = %{version} BuildArch: noarch %description profiles Base profiles. AppArmor is a file and network mandatory access control mechanism. AppArmor confines processes to the resources allowed by the systems administrator and can constrain the scope of potential security vulnerabilities. This package is part of a suite of tools that used to be named SubDomain. %package utils Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security Requires: libapparmor1 = %{version} # some of the tools are still perl-based (aa-decode and aa-notify) Requires: perl = %{perl_version} Requires: perl-apparmor = %{version} %if %{with python3} Requires: python3-apparmor = %{version} Requires: python3-base %else Requires: python-apparmor = %{version} Requires: python-base %endif # aa-unconfined needs ss Recommends: iproute2 # aa-notify -p needs notify-send Recommends: libnotify-tools BuildArch: noarch %description utils This package provides the aa-logprof, aa-genprof, aa-autodep, aa-enforce, and aa-complain tools to assist with profile authoring. Besides it provides the aa-unconfined server information tool. It is part of a suite of tools that used to be named SubDomain. %if %{with tomcat} %package -n tomcat_apparmor Summary: Tomcat 6 plugin for AppArmor change_hat License: GPL-2.0 and LGPL-2.1+ Group: System/Libraries Requires: libapparmor1 = %{version} Requires: tomcat6 %description -n tomcat_apparmor tomcat_apparmor - is a plugin for Apache Tomcat version 6 that provides support for AppArmor change_hat for creating AppArmor containers that are bound to discrete elements of processing within the Tomcat servlet container. The AppArmor containers, or "hats", can be created for individual URL processing or per servlet. %endif %if %{with pam} %package -n pam_apparmor Summary: PAM module for AppArmor change_hat License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security BuildRequires: pam-devel PreReq: pam PreReq: pam-config Requires: pam Requires: pam-config %description -n pam_apparmor The pam_apparmor module provides the means for any PAM applications that call pam_open_session() to automatically perform an AppArmor change_hat operation in order to switch to a user-specific security policy. %endif %description The AppArmor Parser is a userlevel program that is used to load in program profiles to the AppArmor Security kernel module. This package is part of a suite of tools that used to be named SubDomain. %lang_package -n apparmor-utils %lang_package -n apparmor-parser %prep %setup -q %patch1 -p1 %patch2 %patch3 -p1 # Ruby 2.0 mkmf prefixes every path with $(DESTDIR) %patch5 -p1 %patch6 %patch7 -p1 %patch8 %patch9 %patch10 # patch10 (upstream-changes-r3629..3648.diff) fails to create empty files, do it manually touch libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err %patch11 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" %build export SUSE_ASNEEDED=0 %if %{with python3} export PYTHON=/usr/bin/python3 %endif # libapparmor: ( cd ./libraries/libapparmor %configure \ %if %{with perl} --with-perl \ %endif %if %{with python}%{with python3} --with-python \ %else --without-python \ %endif %if %{with ruby} --with-ruby \ %else --without-ruby \ %endif make ) # Utilities: make -C utils # binutils make -C binutils # deprecated/utils (perl modules still needed by YaST) %if %{with perl} make -C deprecated/utils %endif # parser: make -C parser V=1 # Apache mod_apparmor: %if %{with apache} make -C changehat/mod_apparmor %endif # PAM AppArmor: %if %{with pam} make -C changehat/pam_apparmor %endif # Profiles: make -C profiles %if %{with tomcat} make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} %endif %check %if %{with python3} export PYTHON=/usr/bin/python3 export PYTHON_VERSIONS=python3 %endif make check -C libraries/libapparmor make check -C parser make check -C binutils # profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks # also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory) (cd profiles && make check-parser) make check -C utils %install %if %{with python3} export PYTHON=/usr/bin/python3 %endif # libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec %makeinstall -C libraries/libapparmor/swig # utilities %makeinstall -C utils test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568 mkdir -p %{buildroot}%{_localstatedir}/log/apparmor # binutils %makeinstall -C binutils ( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec ) # deprecated/utils (perl modules still needed by YaST) %if %{with perl} %makeinstall -C deprecated/utils %endif %makeinstall -C profiles %makeinstall -C parser # default cache dir is /etc/apparmor.d/cache - not the best location. # Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache ( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache ) %if %{with apache} %makeinstall -C changehat/mod_apparmor %endif %if %{with pam} %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}/%{_lib}/security %endif %if %{with tomcat} mkdir -p %{buildroot}/%{CATALINA_HOME} %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME} %endif find %{buildroot} -name .packlist -exec rm -vf {} \; find %{buildroot} -name perllocal.pod -exec rm -vf {} \; # Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm]. # Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do d=$(dirname $file) f=$(basename $file) case "${f#aa-}" in audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \ audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* ) if [ "${f#aa-}" != "$f" ]; then ln -s $f $d/${f#aa-} fi ;; esac done mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8} mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8} rm -f %{buildroot}%{_mandir}/man8/decode.8 for pkg in apparmor-utils apparmor-parser aa-binutils; do %find_lang $pkg done # remove *.la files rm -fv %{buildroot}%{_libdir}/libapparmor.la # Adjust for systemd install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix} rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor rm %{buildroot}/sbin/rcsubdomain ln -sf service %{buildroot}/sbin/rcapparmor echo ------------------------------------------------------------------- #find -ls echo ------------------------------------------------------------------- #find %{buildroot} -ls echo ------------------------------------------------------------------- %files docs %defattr(-,root,root) %doc parser/*.[1-9].html %doc utils/vim/apparmor.vim.5.html %doc common/apparmor.css %doc parser/techdoc.pdf # apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file %dir %{_datadir}/apparmor %{_datadir}/apparmor/apparmor.vim %files parser %defattr(-,root,root) %doc parser/README parser/COPYING.GPL /sbin/apparmor_parser %{_bindir}/aa-enabled %{_bindir}/aa-exec %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d %{_sysconfdir}/apparmor.d/cache /sbin/rcapparmor %{_unitdir}/apparmor.service %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %config(noreplace) %{_sysconfdir}/apparmor/parser.conf %{_localstatedir}/lib/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %{apparmor_bin_prefix}/apparmor.systemd %doc %{_mandir}/man1/aa-enabled.1.gz %doc %{_mandir}/man1/aa-exec.1.gz %doc %{_mandir}/man1/exec.1.gz %doc %{_mandir}/man5/apparmor.d.5.gz %doc %{_mandir}/man5/apparmor.vim.5.gz %doc %{_mandir}/man5/subdomain.conf.5.gz %doc %{_mandir}/man7/apparmor.7.gz %doc %{_mandir}/man8/apparmor_parser.8.gz %pre parser if [ -f %{_sysconfdir}/init.d/subdomain ] ; then chkconfig --del subdomain fi %service_add_pre apparmor.service %files parser-lang -f apparmor-parser.lang -f aa-binutils.lang %defattr(-,root,root) %files abstractions %defattr(644,root,root,755) %dir %{_sysconfdir}/apparmor.d/ %dir %{_sysconfdir}/apparmor.d/abstractions %config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/* %dir %{_sysconfdir}/apparmor.d/disable %dir %{_sysconfdir}/apparmor.d/local %dir %{_sysconfdir}/apparmor.d/tunables %config(noreplace) %{_sysconfdir}/apparmor.d/tunables/* %files profiles %defattr(644,root,root,755) %dir %{_sysconfdir}/apparmor.d/apache2.d %config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo %config(noreplace) %{_sysconfdir}/apparmor.d/bin.* %config(noreplace) %{_sysconfdir}/apparmor.d/sbin.* %config(noreplace) %{_sysconfdir}/apparmor.d/usr.* %config(noreplace) %{_sysconfdir}/apparmor.d/local/* /usr/share/apparmor/extra-profiles/ %files utils %defattr(-,root,root) %dir %{_sysconfdir}/apparmor %config(noreplace) %{_sysconfdir}/apparmor/easyprof.conf %config(noreplace) %{_sysconfdir}/apparmor/logprof.conf %config(noreplace) %{_sysconfdir}/apparmor/notify.conf %config(noreplace) %{_sysconfdir}/apparmor/severity.db %{_sbindir}/aa-* %{_sbindir}/apparmor_status %{_sbindir}/audit %{_sbindir}/autodep %{_sbindir}/complain %{_sbindir}/decode %{_sbindir}/disable %{_sbindir}/enforce %{_sbindir}/exec %{_sbindir}/genprof %{_sbindir}/logprof %{_sbindir}/notify %{_sbindir}/status %{_sbindir}/unconfined %{_bindir}/aa-easyprof %dir %{_datadir}/apparmor %{_datadir}/apparmor/easyprof/ %dir %{_localstatedir}/log/apparmor %doc %{_mandir}/man5/logprof.conf.5.gz %doc %{_mandir}/man8/apparmor_notify.8.gz %doc %{_mandir}/man8/aa-*.gz %doc %{_mandir}/man8/apparmor_status.8.gz %doc %{_mandir}/man8/audit.8.gz %doc %{_mandir}/man8/autodep.8.gz %doc %{_mandir}/man8/complain.8.gz %doc %{_mandir}/man8/disable.8.gz %doc %{_mandir}/man8/easyprof.8.gz %doc %{_mandir}/man8/enforce.8.gz %doc %{_mandir}/man8/genprof.8.gz %doc %{_mandir}/man8/logprof.8.gz %doc %{_mandir}/man8/unconfined.8.gz %doc utils/*.[0-9].html %doc common/apparmor.css %files utils-lang -f apparmor-utils.lang %if %{with perl} %files -n perl-apparmor %defattr(-,root,root) %{perl_vendorlib}/Immunix %{perl_vendorarch}/auto/LibAppArmor/ %{perl_vendorarch}/LibAppArmor.pm %endif %if %{with python} %files -n python-apparmor %defattr(-,root,root) %{python_sitearch}/LibAppArmor-%{version}-py%{python_version}.egg-info %dir %{python_sitearch}/LibAppArmor %{python_sitearch}/LibAppArmor/_LibAppArmor.so %{python_sitearch}/LibAppArmor/__init__.py %{python_sitearch}/LibAppArmor/__init__.pyc %{python_sitelib}/apparmor/ %{python_sitelib}/apparmor-%{version}-py%{python_version}.egg-info %endif %if %{with python3} %files -n python3-apparmor %defattr(-,root,root) %{python3_sitearch}/LibAppArmor-%{version}-py*.egg-info %dir %{python3_sitearch}/LibAppArmor %dir %{python3_sitearch}/LibAppArmor/__pycache__ %{python3_sitearch}/LibAppArmor/_LibAppArmor.cpython-*.so %{python3_sitearch}/LibAppArmor/__pycache__/__init__.cpython-*.pyc %{python3_sitearch}/LibAppArmor/__pycache__/LibAppArmor.cpython-*.pyc %{python3_sitearch}/LibAppArmor/__init__.py %{python3_sitearch}/LibAppArmor/LibAppArmor.py %{python3_sitelib}/apparmor/ %{python3_sitelib}/apparmor-%{version}-py*.egg-info %endif %if %{with ruby} %files -n ruby-apparmor %defattr(-,root,root) %{rb_sitearchdir}/LibAppArmor.so %endif %if %{with pam} %files -n pam_apparmor %defattr(444,root,root,755) %attr(555,root,root) /%{_lib}/security/pam_apparmor.so %endif %if %{with tomcat} %files -n tomcat_apparmor %defattr(-,root,root) %{CATALINA_HOME}/lib/%{JAR_FILE} %{_libdir}/libJNI* %doc %attr(0644,root,root) changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor %endif %if %{with apache} %files -n apache2-mod_apparmor %defattr(-,root,root) %{apache_module_path}/mod_apparmor.so %doc %{_mandir}/man8/mod_apparmor.8.gz %endif %post parser %service_add_post apparmor.service %preun parser %service_del_preun apparmor.service %postun parser # don't call try-restart, see bnc#853019 export DISABLE_RESTART_ON_UPDATE="yes" %service_del_postun apparmor.service %post abstractions #restart_on_update boot.apparmor - but non-broken (bnc#853019) systemctl is-active -q apparmor && /lib/apparmor/apparmor.systemd reload ||: %post profiles # workaround for bnc#904620#c8 / lp#1392042 rm -f /var/lib/apparmor/cache/* 2>/dev/null #restart_on_update boot.apparmor - but non-broken (bnc#853019) systemctl is-active -q apparmor && /lib/apparmor/apparmor.systemd reload ||: %if %{with tomcat} %post -n tomcat_apparmor -p /sbin/ldconfig %postun -n tomcat_apparmor -p /sbin/ldconfig %endif %if %{with pam} %post -n pam_apparmor pam-config -a --apparmor pam-config --update %postun -n pam_apparmor pam-config -d --apparmor pam-config --update %endif %changelog