Accepting request 795858 from home:lrupp:branches:network:telephony

allow /etc/pki/coturn/** in apparmor to allow loading of certificates from the standard location. - added apparmor profile (coturn-apparmor-usr.bin.turnserver) - fix executable permissions in devel package by using defattr OBS-URL: https://build.opensuse.org/request/show/795858 OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=5
2020-04-20 15:32:53 +00:00 · 2020-04-20 15:32:53 +00:00 · c4ca41a9dd
commit c4ca41a9dd
parent 250745ef83
3 changed files with 63 additions and 1 deletions
--- a/coturn-apparmor-usr.bin.turnserver
+++ b/coturn-apparmor-usr.bin.turnserver
@ -0,0 +1,19 @@
+#include <tunables/global>
+
+/usr/bin/turnserver {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  /etc/coturn/*.conf r,
+  /etc/pki/coturn/** r,
+  /usr/bin/turnserver mr,
+  owner /run/coturn/* w,
+  owner /var/lib/coturn/* rwk,
+  owner /var/log/coturn/*.log rw,
+  owner /var/log/turn*.log w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.turnserver>
+}
+
--- a/coturn.changes
+++ b/coturn.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Apr 14 18:38:59 UTC 2020 - lars@linux-schulserver.de
+
+- added apparmor profile (coturn-apparmor-usr.bin.turnserver)
+- fix executable permissions in devel package by using defattr
+
 -------------------------------------------------------------------
 Sun Apr 12 05:47:04 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>

--- a/coturn.spec
+++ b/coturn.spec
@ -17,6 +17,12 @@


 %global _lto_cflags %{?_lto_cflags} -ffat-lto-objects
+%bcond_without  apparmor
+%if 0%{?suse_version} > 1320
+%bcond_without  apparmor_reload
+%else
+%bcond_with     apparmor_reload
+%endif
 Name:           coturn
 Version:        4.5.1.1
 Release:        0
@ -32,6 +38,7 @@ Source4:        %{name}-user.conf
 Source5:        %{name}.sysconfig
 Source6:        %{name}.firewalld
 Source7:        README.SUSE
+Source8:        %{name}-apparmor-usr.bin.turnserver
 # PATCH-FIX-UPSTREAM coturn-4.5.1.0-append-log.patch Append only to log files rather to override them
 Patch0:         coturn-4.5.1.0-append-log.patch
 # PATCH-FIX-UPSTREAM  coturn-4.5.1.1-cve-2020-6061.patch CVE-2020-6061
@ -52,6 +59,18 @@ BuildRequires:  pkgconfig(libpq)
 BuildRequires:  pkgconfig(libssl) >= 1.0.2
 BuildRequires:  pkgconfig(sqlite3)
 BuildRequires:  pkgconfig(systemd)
+%if %{with apparmor}
+%if 0%{?suse_version} <= 1315
+BuildRequires:  apparmor-profiles
+Recommends:     apparmor-profiles
+%else
+BuildRequires:  apparmor-abstractions
+Recommends:     apparmor-abstractions
+%endif
+%if %{with apparmor_reload}
+BuildRequires:  apparmor-rpm-macros
+%endif
+%endif
 Requires(pre):  %fillup_prereq
 Requires(pre):  shadow
 Recommends:     logrotate
@ -102,7 +121,7 @@ This package contains the TURN development headers.

 %install
 %make_install
-mkdir -p %{buildroot}{%{_sysconfdir}/pki/coturn/{public,private},{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir}}
+mkdir -p %{buildroot}{%{_sysconfdir}/pki/coturn/{public,private},{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local}
 install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
 install -Dpm 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf
 install -Dpm 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
@ -110,6 +129,13 @@ install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/
 install -Dpm 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.%{name}
 install -Dpm 0644 %{SOURCE6} %{buildroot}%{_libexecdir}/firewalld/services/%{name}.xml
 install -Dpm 0644 %{SOURCE7} %{buildroot}%{_docdir}/%{name}/
+%if %{with apparmor}
+install -Dpm 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.turnserver
+cat > %{buildroot}%{_sysconfdir}/apparmor.d/local/usr.bin.turnserver << EOF
+# Site-specific additions and overrides for usr.bin.turnserver
+# See /etc/apparmor.d/local/README for details.
+EOF
+%endif

 sed -i \
    -e "s|^syslog$|#syslog|g" \
@ -148,6 +174,9 @@ done
 systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
 %{fillup_only -n %{name}}
 %firewalld_reload
+%if %{with apparmor} && %{with apparmor_reload}
+%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.turnserver
+%endif

 %preun
 %service_del_preun %{name}.service
@ -203,6 +232,13 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
 %dir %attr(0750,%{name},%{name}) %{_localstatedir}/log/%{name}
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}

+%if %{with apparmor}
+%dir %{_sysconfdir}/apparmor.d
+%dir %{_sysconfdir}/apparmor.d/local
+%config %{_sysconfdir}/apparmor.d/usr.bin.turnserver
+%config(noreplace) %{_sysconfdir}/apparmor.d/local/usr.bin.turnserver
+%endif
+
 %files utils
 %license LICENSE
 %{_bindir}/turnutils_peer
@ -215,6 +251,7 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
 %{_mandir}/man1/turnutils_*.1%{?ext_man}

 %files devel
+%defattr(0644,root,root)
 %license LICENSE
 %{_includedir}/turn
 %{_libdir}/libturnclient.a