# # spec file for package apparmor # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild %bcond_without tomcat %bcond_without pam %bcond_without apache %bcond_with python %bcond_with ruby %bcond_with gnome %bcond_with dbus %bcond_with editor %define CATALINA_HOME /usr/share/tomcat6 %define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/ %define JNI_SO libJNIChangeHat.so %define JAR_FILE changeHatValve.jar %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) %define srcversion 2.5.1 %define bzr_commit r1445 Name: apparmor %if ! %{?distro:1}0 %if %{?suse_version:1}0 %define distro suse %endif %if %{?fedora_version:1}0 %define distro redhat %endif %endif %if ! %{?distro:1}0 %define distro suse %endif Summary: AppArmor userlevel parser utility Version: %{srcversion}.%{bzr_commit} Release: 46 Group: Productivity/Networking/Security Source0: apparmor-%{srcversion}.tar.bz2 Source1: %{name}-profile-editor.png Source2: %{name}-profile-editor.desktop Source3: update-trans.sh Patch: apparmor-2.5-%{bzr_commit} Patch1: pam-apparmor-include Patch2: mod_apparmor-includes Patch3: tomcat-build-fixes Patch4: apparmor-swig-build-fix Patch5: apparmor-scripts Patch6: apparmor-translation-fixes Patch7: apparmor-perl Patch8: apparmor-no-caching-test Patch9: apparmorapplet-gnome-build-fix Patch10: apparmor-utils-SubDomain Patch11: apparmor-utils-cleanup-on-abort Patch12: apparmor-utils-translation-unification Patch13: apparmor-utils-add-log-types Patch14: apparmor-utils-filenames-in-slash Patch15: apparmor-utils-null-path-fix Patch16: apparmor-utils-string-split Patch17: apparmor-profiles-cupsd-fix Patch18: apparmor-profiles-sshd-fix Patch19: apparmor-profiles-syslog-ng-fix Patch20: apparmor-docs-techdoc-grammar-fixes Patch21: apparmor-parser-string-fixes Patch22: apparmor-startproc.patch Patch23: apparmor-2.5.1-unified-build Patch24: apparmor-2.5.1-rpmlint-asprintf Patch25: apparmor-2.5.1-ntpd-proc-fixes Patch26: apparmor-2.5.1-edirectory-profile Patch27: apparmor-2.5.1-firefox-proc-fix Patch28: apparmor-2.5.1-unconfined-fixes Patch29: apparmor-utils-inherit-flags-during-profile-generation Patch30: apparmor-2.5.1-ldapclient-profile #Patch31: #Patch32: Patch33: apparmor-2.5.1-ntpd-sys_nice Patch34: apparmor-2.5.1-ssl-fix Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix Patch36: klog-needs-CAP_SYSLOG Patch37: apparmor-2.5.1-network-fixes License: GPLv2+ BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: https://launchpad.net/apparmor PreReq: sed %if %{distro} == "suse" PreReq: %{insserv_prereq} aaa_base %endif BuildRequires: gcc-c++ BuildRequires: pkg-config BuildRequires: pcre-devel %define apparmor_bin_prefix /lib/apparmor BuildRequires: bison flex latex2html w3m BuildRequires: texlive-latex BuildRequires: swig %if %{with python} BuildRequires: python-devel swig %endif %if %{with ruby} BuildRequires: ruby-devel swig %endif %if %{with pam} BuildRequires: pam-devel Requires: pam pam-config PreReq: pam pam-config %endif %if %{with apache} BuildRequires: apache2-devel %endif %if %{with tomcat} BuildRequires: ant java-devel >= 1.6.0 tomcat6 %endif %if %{with editor} BuildRequires: gcc-c++ update-desktop-files wxGTK-devel %endif %if %{with gnome} BuildRequires: gnome-common BuildRequires: pkgconfig(dbus-1) BuildRequires: pkgconfig(gtk+-2.0) BuildRequires: pkgconfig(libgnome-2.0) BuildRequires: pkgconfig(libpanelapplet-2.0) %endif %if %{with dbus} BuildRequires: audit-devel dbus-1-devel libapparmor-devel pkg-config %endif %package parser License: GPLv2+ Summary: AppArmor userlevel parser utility Group: Productivity/Networking/Security Obsoletes: subdomain_parser < %{version} Obsoletes: subdomain-parser < %{version} Obsoletes: subdomain-parser-demo < %{version} Obsoletes: subdomain-parser-common < %{version} Obsoletes: subdomain-leaf-cert < %{version} Obsoletes: libimnxcert < %{version} Provides: subdomain_parser = %{version} Provides: subdomain-parser = %{version} Provides: subdomain-parser-demo = %{version} Provides: subdomain-parser-common = %{version} Provides: subdomain-leaf-cert = %{version} Provides: libimnxcert = %{version} Provides: apparmor-parser(CAP_SYSLOG) %description parser The AppArmor Parser is a userlevel program that is used to load in program profiles to the AppArmor Security kernel module. This package is part of a suite of tools that used to be named SubDomain. %package docs License: GPLv2+ Summary: AppArmor Documentation package Group: Documentation/Other %description docs This package contains documentation for AppArmor. This package is part of a suite of tools that used to be named SubDomain. Authors: -------- lcambell@novell.com Seth Arnold %if %{with apache} %package -n apache2-mod_apparmor License: GPLv2+ Summary: AppArmor module for apache2 Group: Productivity/Security %description -n apache2-mod_apparmor apache2-modapparmor adds support to apache2 to provide AppArmor confinement to individual cgi scripts handled by apache modules like mod_php and mod_perl. This package is part of a suite of tools that used to be named SubDomain. The documentation is in the apparmor-admin_en package. Authors: -------- sbeattie@suse.de %endif %package -n libapparmor1 Summary: Utility library for AppArmor Group: Development/Libraries/C and C++ License: LGPLv2.1+ %ifarch ppc64 Obsoletes: libapparmor-64bit < %{version} Provides: libapparmor-64bit = ${version} %endif Provides: libapparmor = %{version} Provides: libimmunix = %{version} Obsoletes: libapparmor < %{version} Obsoletes: libimmunix < %{version} %description -n libapparmor1 This package provides the libapparmor library, which contains the change_hat(2) symbol, used for sub-process confinement by AppArmor, as well as functions to parse AppArmor log messages. Authors: -------- Steve Beattie Matt Barringer %package -n libapparmor-devel License: LGPLv2.1+ Requires: libapparmor1 = %{version}-%{release} Group: Development/Libraries/C and C++ Provides: libapparmor:/usr/include/sys/apparmor.h Summary: Development headers and libraries for libapparmor %description -n libapparmor-devel These libraries are needed for developing software that makes use of the AppArmor API. Authors: -------- Steve Beattie Matt Barringer %package -n perl-apparmor License: GPLv2 ; LGPLv2.1+ Requires: libapparmor1 = %{version} Requires: perl = %{perl_version} Group: Development/Libraries/Perl Summary: Perl interface for libapparmor functions Provides: perl-libapparmor Obsoletes: perl-libapparmor < 2.5 %description -n perl-apparmor This package provides the perl interface to AppArmor. It is used for perl applications interfacing with AppArmor, including the AppArmor utiltities. Authors: -------- Steve Beattie Matt Barringer %if %{with python} %package -n python-apparmor License: GPLv2 ; LGPLv2.1+ Requires: libapparmor1 = %{version} BuildRequires: python Requires: python = %{python_version} Group: Development/Libraries/Python Summary: Python interface for libapparmor functions Provides: python-libapparmor Obsoletes: python-libapparmor < 2.5 %description -n python-apparmor This package provides the python interface to AppArmor. It is used for python applications interfacing with AppArmor. Authors: -------- Steve Beattie Matt Barringer %endif %if %{with ruby} %package -n ruby-apparmor License: GPLv2 ; LGPLv2.1+ Requires: libapparmor1 = %{version} Requires: ruby = %{ruby_version} Group: Development/Libraries/Ruby Summary: Ruby interface for libapparmor functions Provides: ruby-libapparmor Obsoletes: ruby-libapparmor < 2.5 %description -n ruby-apparmor This package provides the ruby interface to AppArmor. It is used for ruby applications interfacing with AppArmor. Authors: -------- Steve Beattie Matt Barringer %endif %package profiles License: GPLv2 ; LGPLv2.1+ Summary: AppArmor profiles that are loaded into the apparmor kernel module Group: Productivity/Security Obsoletes: subdomain-profiles < %{version} Provides: subdomain-profiles = %{version} Requires: apparmor-parser(CAP_SYSLOG) %description profiles Base profiles. AppArmor is a file and network mandatory access control mechanism. AppArmor confines processes to the resources allowed by the systems administrator and can constrain the scope of potential security vulnerabilities. This package is part of a suite of tools that used to be named SubDomain. Authors: -------- seth.arnold@suse.de sbeattie@suse.de jjohansen@suse.de %package utils License: GPLv2 ; LGPLv2.1+ Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles Group: Productivity/Security Requires: perl = %{perl_version} Requires: libapparmor1 = %{version} Requires: perl-apparmor = %{version} BuildArch: noarch %description utils This package provides the aa-logprof, aa-genprof, aa-autodep, aa-enforce, and aa-complain tools to assist with profile authoring. Besides it provides the aa-unconfined server information tool and the aa-eventd event reporting system. It is part of a suite of tools that used to be named SubDomain. Authors: -------- jmichael@suse.de seth.arnold@suse.de %if %{with tomcat} %package -n tomcat_apparmor License: GPLv2 ; LGPLv2.1+ Summary: Tomcat 6 plugin for AppArmor change_hat Group: System/Libraries Requires: libapparmor1 = %{version} tomcat6 %description -n tomcat_apparmor tomcat_apparmor - is a plugin for Apache Tomcat version 6 that provides support for AppArmor change_hat for creating AppArmor containers that are bound to discrete elements of processing within the Tomcat servlet container. The AppArmor containers, or "hats", can be created for individual URL processing or per servlet. Authors: -------- dreynolds@suse.de %endif %if %{with pam} %package -n pam_apparmor License: GPLv2 ; LGPLv2.1+ Summary: PAM module to for AppArmor change_hat Group: Productivity/Security %description -n pam_apparmor The pam_apparmor module provides the means for any PAM applications that call pam_open_session() to automatically perform an AppArmor change_hat operation in order to switch to a user-specific security policy. Authors: -------- jmichael@suse.de sbeattie@suse.de %endif %if %{with dbus} %package dbus License: GPLv2 ; LGPLv2.1+ Summary: Audit dispatcher for sending AppArmor events over DBUS Group: System/Monitoring %description dbus An audit dispatcher for sending AppArmor events over the DBUS system bus. Authors: -------- Matt Barringer %endif %if %{with editor} %package profile-editor License: GPLv2 ; LGPLv2.1+ Summary: AppArmor profile editor Group: Productivity/Editors/Other %description profile-editor A syntax highlighting editor for AppArmor profiles. Authors: -------- Matt Barringer %endif %if %{with gnome} %package -n apparmorapplet-gnome License: GPLv2 ; LGPLv2.1+ Summary: An AppArmor event notification applet for GNOME Group: System/GUI/GNOME %description -n apparmorapplet-gnome This taskbar applet recieves AppArmor events over DBUS, and notifies the user when AppArmor prevents an application from functioning. Authors: -------- Matt Barringer %endif %description The AppArmor Parser is a userlevel program that is used to load in program profiles to the AppArmor Security kernel module. This package is part of a suite of tools that used to be named SubDomain. %lang_package -n apparmor-utils %lang_package -n apparmor-parser %if %{with gnome} %lang_package -n apparmorapplet-gnome %endif %prep %setup -q -n %{name}-%{srcversion} %patch -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 %patch22 -p1 %patch23 -p1 %patch24 -p1 %patch25 -p1 %patch26 -p1 %patch27 -p1 %patch28 -p1 %patch29 -p1 %patch30 -p1 %patch33 -p1 %patch34 -p1 %patch35 -p1 %patch36 -p1 %patch37 -p1 %build export SUSE_ASNEEDED=0 autoreconf -fiv %define _libdir /%{_lib} %configure --disable-static --with-pic \ --with-perl \ %if %{with python} --with-python \ %else --without-python \ %endif %if %{with ruby} --with-ruby \ %else --without-ruby \ %endif %if %{with tomcat} --with-tomcat \ %else --without-tomcat \ %endif %if %{with pam} --with-pam \ %else --without-pam \ %endif %if %{with apache} --with-apache \ %else --without-apache \ %endif %if %{with gnome} --with-gnome \ %else --without-gnome \ %endif %if %{with dbus} --with-dbus \ %else --without-dbus \ %endif %if %{with editor} --with-profileeditor \ %else --without-profileeditor \ %endif %{__make} %{?jobs:-j%jobs} %if %{with ruby} #rm libraries/libapparmor/swig/ruby/Makefile.ruby #make -C libraries/libapparmor/swig/ruby %endif %install %{make_install} find $RPM_BUILD_ROOT -name .packlist -exec rm -f {} \; find $RPM_BUILD_ROOT -name perllocal.pod -exec rm -f {} \; # create symlink for old change_hat(2) manpage ln -s aa_change_hat.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/change_hat.2 mkdir ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d install parser/rc.apparmor.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/boot.apparmor install parser/rc.aaeventd.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/aaeventd ln -s %{_sysconfdir}/init.d/aaeventd ${RPM_BUILD_ROOT}/sbin/rcaaeventd ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcapparmor ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcsubdomain for script in ${RPM_BUILD_ROOT}/usr/sbin/*; do d=$(dirname $script) f=$(basename $script) if [ "${f#aa-}" = "$f" ]; then ln -s /usr/sbin/$f $d/aa-$f fi done for man in ${RPM_BUILD_ROOT}/usr/share/man/man[18]/*; do d=$(dirname $man) f=$(basename $man) if [ "${f#aa-}" = "$f" ]; then ln -s $f $d/aa-$f fi done %if %{with editor} %suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor %endif %if %{with gnome} %find_lang apparmorapplet-gnome %endif for pkg in apparmor-utils apparmor-parser; do %find_lang $pkg done # Clean up profiles that are provided by other packages now rm $RPM_BUILD_ROOT%{_sysconfdir}/apparmor.d/usr.sbin.nscd %clean rm -rf $RPM_BUILD_ROOT %files docs %defattr(-,root,root) %doc parser/*.[1-9].html %doc common/apparmor.css %doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt %files parser %defattr(-,root,root) %doc parser/README parser/COPYING.GPL /sbin/apparmor_parser %dir %attr(-, root, root) %{_sysconfdir}/apparmor %if %{distro} == "suse" /sbin/rcsubdomain /sbin/rcapparmor %{_sysconfdir}/init.d/boot.apparmor /sbin/rcaaeventd %{_sysconfdir}/init.d/aaeventd %else %{_sysconfdir}/init.d/apparmor %{_sysconfdir}/init.d/aaeventd %endif %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf /var/lib/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %doc %{_mandir}/man5/apparmor.d.5.gz %doc %{_mandir}/man5/apparmor.vim.5.gz %doc %{_mandir}/man5/subdomain.conf.5.gz %doc %{_mandir}/man7/apparmor.7.gz %doc %{_mandir}/man8/apparmor_parser.8.gz %if %{distro} == "redhat" || %{distro} == "rhel4" %pre parser if [ -f %{_sysconfdir}/init.d/subdomain ] ; then chkconfig --del subdomain fi %endif %files parser-lang -f apparmor-parser.lang %files -n libapparmor1 %defattr(-,root,root) %{_libdir}/libapparmor.la %{_libdir}/libimmunix.la %{_libdir}/libapparmor.so* %{_libdir}/libimmunix.so* %files -n libapparmor-devel %defattr(-,root,root) %{_libdir}/libapparmor.so %{_libdir}/libimmunix.so %doc %{_mandir}/man2/aa_change_hat.2.gz %doc %{_mandir}/man2/change_hat.2.gz %dir %{_includedir}/aalogparse %{_includedir}/sys/apparmor.h %{_includedir}/aalogparse/* # hrm, still need to enumerate each directory in these paths in files :( %define extras_dir %{_sysconfdir}/apparmor/profiles/extras/ %define profiles_dir %{_sysconfdir}/apparmor.d/ %files profiles %defattr(-,root,root) %attr(644, root, root) %config(noreplace) %{profiles_dir}/* %attr(644, root, root) %{extras_dir}/* %dir %{_sysconfdir}/apparmor.d/ %dir %{_sysconfdir}/apparmor/ %dir %{_sysconfdir}/apparmor/profiles %dir %{_sysconfdir}/apparmor/profiles/extras %files utils %defattr(-,root,root) %dir %{_sysconfdir}/apparmor %config(noreplace) %{_sysconfdir}/apparmor/logprof.conf %config(noreplace) %{_sysconfdir}/apparmor/notify.conf %config(noreplace) %{_sysconfdir}/apparmor/severity.db %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %{_prefix}/sbin/* %dir /var/log/apparmor %doc %{_mandir}/man5/logprof.conf.5.gz %doc %{_mandir}/man8/apparmor_notify.8.gz %doc %{_mandir}/man8/aa-*.gz %doc %{_mandir}/man8/apparmor_status.8.gz %doc %{_mandir}/man8/audit.8.gz %doc %{_mandir}/man8/autodep.8.gz %doc %{_mandir}/man8/complain.8.gz %doc %{_mandir}/man8/enforce.8.gz %doc %{_mandir}/man8/genprof.8.gz %doc %{_mandir}/man8/logprof.8.gz %doc %{_mandir}/man8/unconfined.8.gz %doc utils/*.[0-9].html %doc common/apparmor.css %files utils-lang -f apparmor-utils.lang %files -n perl-apparmor %defattr(-,root,root) %{perl_vendorlib}/Immunix %dir %{perl_vendorarch}/auto/LibAppArmor %{perl_vendorarch}/auto/LibAppArmor/* %{perl_vendorarch}/LibAppArmor.pm %if %{with python} %files -n python-apparmor %defattr(-,root,root) %{python_sitearch}/LibAppArmor-2.5.1-py2.7.egg-info %{python_sitearch}/libapparmor1/* %endif %if %{with ruby} %files -n ruby-apparmor %defattr(-,root,root) %{_prefix}/%{rb_sitearch}/* %endif %if %{with pam} %files -n pam_apparmor %defattr(444,root,root,755) %attr(555,root,root) %{_libdir}/security/pam_apparmor.so %attr(555,root,root) %{_libdir}/security/pam_apparmor.la %endif %if %{with tomcat} %files -n tomcat_apparmor %defattr(-,root,root) %{CATALINA_HOME}/lib/%{JAR_FILE} %{_libdir}/libJNI* %doc %attr(0644,root,root) changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor %endif %if %{with apache} %files -n apache2-mod_apparmor %defattr(-,root,root) %{apache_module_path}/mod_apparmor.so %{apache_module_path}/mod_apparmor.la %doc %{_mandir}/man8/mod_apparmor.8.gz %endif %if %{with dbus} %files dbus %defattr(0750, root, root) %{_bindir}/apparmor-dbus %endif %if %{with editor} %files profile-editor %defattr(-, root, root) %{_datadir}/applications/%{name}-profile-editor.desktop %{_datadir}/pixmaps/%{name}-profile-editor.png %{_bindir}/profileeditor %{_docdir}/profileeditor/AppArmorProfileEditor.htb %if 0 %{_prefix}/share/doc/profileeditor/AppArmorProfileEditor.htb %endif %dir %{_prefix}/share/doc/profileeditor %endif %if %{with gnome} %files -n apparmorapplet-gnome %defattr(-, root, root) %{_libdir}/bonobo/servers/*.server %{_prefix}/lib/apparmorapplet %{_datadir}/pixmaps/* %files -n apparmorapplet-gnome-lang -f apparmorapplet-gnome.lang %endif %post parser %if %{distro} == "suse" # SUSE uses insserv # For package renaming from subdomain -> apparmor # we check the existence of the AppArmor 1.1 and # AppArmor 1.2 based init script to help determine # whether we are upgrading SUBDOMAIN_PARSER_INSTALLED="no" if test -e %{_sysconfdir}/init.d/boot.subdomain -o -e %{_sysconfdir}/init.d/subdomain; then SUBDOMAIN_PARSER_INSTALLED="yes" fi if test "$1" == 1 -a $SUBDOMAIN_PARSER_INSTALLED = "no"; then %{insserv_force_if_yast boot.apparmor} elif test -e %{_sysconfdir}/rc.d/boot.d/S??boot.subdomain -o \ -e %{_sysconfdir}/rc.d/boot.d/S??boot.apparmor -o \ -e %{_sysconfdir}/rc.d/rc3.d/S??subdomain ; then %{insserv_force_if_yast boot.apparmor} else %{fillup_and_insserv -f boot.apparmor} fi %endif %if %{distro} == "redhat" || %{distro} == "rhel4" chkconfig --add apparmor %endif %if %{distro} == "slackware" if grep -qs "# BEGIN rc.subdomain INSERTION" %{_sysconfdir}/rc.d/rc.M ; then true ; else %{apparmor_bin_prefix}/install/frob_slack_rc --init fi if grep -qs "# BEGIN rc.subdomain INSERTION" %{_sysconfdir}/rc.d/rc.K ; then true ; else %{apparmor_bin_prefix}/install/frob_slack_rc --shutdown fi %endif %preun parser if [ "$1" = 0 ] ; then %if %{distro} == "suse" %{stop_on_removal aaeventd} %{stop_on_removal boot.apparmor} %endif %if %{distro} == "redhat" || %{distro} == "rhel4" chkconfig --del aaeventd chkconfig --del apparmor %endif fi %postun parser %if %{distro} == "suse" %restart_on_update aaeventd boot.apparmor %{insserv_cleanup} || true %endif %post -n libapparmor1 -p /sbin/ldconfig %postun -n libapparmor1 -p /sbin/ldconfig %if %{with tomcat} %post -n tomcat_apparmor -p /sbin/ldconfig %postun -n tomcat_apparmor -p /sbin/ldconfig %endif %if %{with pam} %post -n pam_apparmor pam-config -a --apparmor pam-config --update %postun -n pam_apparmor pam-config -d --apparmor pam-config --update %endif %changelog