Christian Boltz
0916435d00
- add crypto-policies-mr720.diff to allow reading crypto policies
in abstractions/ssl_certs (boo#1183597)
- replace %{?systemd_requires} with %{?systemd_ordering} to avoid dragging in
systemd into containers just because apparmor-parser ships a *.service file
OBS-URL: https://build.opensuse.org/request/show/888862
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=296
37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
[current version of https://gitlab.com/apparmor/apparmor/-/merge_requests/720 - might still be changed or extended, but this patch solves the most urgent denials]
|
|
|
|
|
|
From 0aea44f43a1d6cd6b7ebd32bbff803455b3aad44 Mon Sep 17 00:00:00 2001
|
|
From: Christian Boltz <apparmor@cboltz.de>
|
|
Date: Mon, 8 Mar 2021 01:20:24 +0100
|
|
Subject: [PATCH] abstractions/ssl_certs: allow reading crypto policies
|
|
|
|
See https://gitlab.com/redhat-crypto/fedora-crypto-policies for details.
|
|
|
|
Reported by darix and also my own audit.log - the actual denial was for
|
|
/usr/share/crypto-policies/DEFAULT/openssl.txt.
|
|
|
|
(I'm aware that the crypto policies are not really certificates, but
|
|
since they are used by several crypto libraries, ssl_certs is probably
|
|
the best place for them even if the filename doesn't match.)
|
|
---
|
|
profiles/apparmor.d/abstractions/ssl_certs | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs
|
|
index 57d0f41a2..0392c0ccc 100644
|
|
--- a/profiles/apparmor.d/abstractions/ssl_certs
|
|
+++ b/profiles/apparmor.d/abstractions/ssl_certs
|
|
@@ -41,5 +41,8 @@
|
|
/etc/certbot/archive/*/chain*.pem r,
|
|
/etc/certbot/archive/*/fullchain*.pem r,
|
|
|
|
+ # crypto policies used by various libraries
|
|
+ /usr/share/crypto-policies/*/*.txt r,
|
|
+
|
|
# Include additions to the abstraction
|
|
include if exists <abstractions/ssl_certs.d>
|
|
--
|
|
GitLab
|
|
|