From bdec4987333d615808f681a8391006afd2a98a318f7ed45c9c06c3152e072bb7 Mon Sep 17 00:00:00 2001
From: Marcus Rueckert <mrueckert@suse.com>
Date: Sat, 24 Oct 2020 01:23:11 +0000
Subject: [PATCH] - apparmor profile fixes:   - include abstractions that give
 access to the openssl config,     ssl certs and ssl keys   - include local
 configs only with "if exists" so they do not have     to exist. - move local
 files to %ghost

OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=226
---
 haproxy.changes           | 10 ++++++++++
 haproxy.spec              |  6 ++++--
 usr.sbin.haproxy.apparmor |  6 +++++-
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/haproxy.changes b/haproxy.changes
index 53af55c..8f7c102 100644
--- a/haproxy.changes
+++ b/haproxy.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Sat Oct 24 01:18:29 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
+
+- apparmor profile fixes:
+  - include abstractions that give access to the openssl config,
+    ssl certs and ssl keys
+  - include local configs only with "if exists" so they do not have
+    to exist.
+- move local files to %ghost
+
 -------------------------------------------------------------------
 Fri Oct  2 14:38:51 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
 
diff --git a/haproxy.spec b/haproxy.spec
index 6de548d..a77d78d 100644
--- a/haproxy.spec
+++ b/haproxy.spec
@@ -203,6 +203,7 @@ install -D -m 0644 contrib/syntax-highlight/haproxy.vim     %{buildroot}%{vim_da
 install -D -m 0644 doc/%{pkg_name}.1        %{buildroot}%{_mandir}/man1/%{pkg_name}.1
 %if %{with apparmor}
 install -D -m 0644 %{S:2}                   %{buildroot}/etc/apparmor.d/usr.sbin.haproxy
+install -D -m 0644 %{S:3}                   %{buildroot}/etc/apparmor.d/local/haproxy
 install -D -m 0644 %{S:3}                   %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy
 %endif
 
@@ -281,8 +282,9 @@ getent passwd %{pkg_name} >/dev/null || \
 %if 0%{?suse_version} == 1110
 %dir /etc/apparmor.d/local/
 %endif
-%config(noreplace) /etc/apparmor.d/usr.sbin.haproxy
-%config(noreplace) /etc/apparmor.d/local/usr.sbin.haproxy
+%config(noreplace)        /etc/apparmor.d/usr.sbin.haproxy
+%config(noreplace) %ghost /etc/apparmor.d/local/haproxy
+%config(noreplace) %ghost /etc/apparmor.d/local/usr.sbin.haproxy
 %endif
 
 %changelog
diff --git a/usr.sbin.haproxy.apparmor b/usr.sbin.haproxy.apparmor
index 23e5971..cbfc98a 100644
--- a/usr.sbin.haproxy.apparmor
+++ b/usr.sbin.haproxy.apparmor
@@ -2,6 +2,9 @@
 
 profile haproxy /usr/sbin/haproxy {
   #include <abstractions/base>
+  #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/ssl_keys>
   #include <abstractions/nameservice>
   capability net_bind_service,
   capability setgid,
@@ -29,5 +32,6 @@ profile haproxy /usr/sbin/haproxy {
   /{,var/}run/haproxy-master.sock* rwlk,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.haproxy>
+  #include if exists <local/haproxy>
+  #include if exists <local/usr.sbin.haproxy>
 }