From e2db76a976abf7eb6320147a5adf9c718bbb11db76ccb412fbfe85957430d5f1 Mon Sep 17 00:00:00 2001
From: Bernhard Wiedemann <bwiedemann@suse.com>
Date: Mon, 14 Sep 2020 14:04:43 +0000
Subject: [PATCH 1/6] Add SLE-12-SP5 buildfix

OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=43
---
 rspamd.spec | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/rspamd.spec b/rspamd.spec
index af47630..c53fa7f 100644
--- a/rspamd.spec
+++ b/rspamd.spec
@@ -55,6 +55,10 @@
 
 %global _wwwdir /srv/www/webapps
 
+%if 0%{?suse_version} && 0%{?suse_version} < 1500
+%global force_gcc_version 9
+%endif
+
 Name:           rspamd
 Version:        2.5
 Release:        0
@@ -72,7 +76,7 @@ BuildRequires:  cmake
 BuildRequires:  curl-devel
 BuildRequires:  db-devel
 BuildRequires:  file-devel
-BuildRequires:  gcc-c++
+BuildRequires:  gcc%{?force_gcc_version}-c++
 BuildRequires:  gd-devel
 %if %{with hyperscan}
 BuildRequires:  hyperscan-devel
@@ -163,6 +167,10 @@ This package holds the client tools (rspamc and rspamadm)
 %patch3 -p1
 
 %build
+%if 0%{?force_gcc_version}
+export CC="gcc-%{?force_gcc_version}"
+export CXX="g++-%{?force_gcc_version}"
+%endif
 %cmake                                      \
 %if 0%{suse_version} == 1315
   -DCMAKE_USER_MAKE_RULES_OVERRIDE=""       \

From bd9a6e295bdaacd0efab696d186f6ad34961cddfcde32b5ed52bd168639fd713 Mon Sep 17 00:00:00 2001
From: Wolfgang Rosenauer <wolfgang@rosenauer.org>
Date: Thu, 1 Oct 2020 10:03:58 +0000
Subject: [PATCH 2/6] Accepting request 838944 from
 home:bmwiedemann:branches:server:mail

ToDo: check if the moonjit patch was really not needed

ToDo: test

- update to 2.6
  * https://rspamd.com/announce/2020/09/30/rspamd-2.6.html
  * Rework neural network plugin
  * Rework bitcoin detection library
  * Fix IDNA bugs
  * Send more fuzzy module telemetry data to rspamd servers
  * Drop upstream rspamd-gcc10-buildfix.patch
  * Drop rspamd-moonjit.patch

OBS-URL: https://build.opensuse.org/request/show/838944
OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=45
---
 rspamd-2.5.tar.gz           |  3 ---
 rspamd-2.6.tar.gz           |  3 +++
 rspamd-gcc10-buildfix.patch | 23 ---------------------
 rspamd-moonjit.patch        | 40 -------------------------------------
 rspamd.changes              | 12 +++++++++++
 rspamd.spec                 | 33 ++++++++----------------------
 6 files changed, 23 insertions(+), 91 deletions(-)
 delete mode 100644 rspamd-2.5.tar.gz
 create mode 100644 rspamd-2.6.tar.gz
 delete mode 100644 rspamd-gcc10-buildfix.patch
 delete mode 100644 rspamd-moonjit.patch

diff --git a/rspamd-2.5.tar.gz b/rspamd-2.5.tar.gz
deleted file mode 100644
index c8d4dd7..0000000
--- a/rspamd-2.5.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ef66073079cf02bda8f31e861ff3a34467a957d6c3958c118e142915ef960038
-size 4490310
diff --git a/rspamd-2.6.tar.gz b/rspamd-2.6.tar.gz
new file mode 100644
index 0000000..f15e278
--- /dev/null
+++ b/rspamd-2.6.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:002aee47dc4d6f8c6c0572b58ccb0cbcbb9bb7689442c33a5a5cf893e72506db
+size 5079444
diff --git a/rspamd-gcc10-buildfix.patch b/rspamd-gcc10-buildfix.patch
deleted file mode 100644
index e83d793..0000000
--- a/rspamd-gcc10-buildfix.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-commit 06c6c939ae59516a720f0cfc5a29e214b6569476
-Author: Heiko Becker <heirecka@exherbo.org>
-Date:   Sat Apr 4 00:15:28 2020 +0200
-
-    [Minor] Cherry-pick a fix for replxx to build with gcc10
-    
-    723d9c84869511dfb5e63f5c3d3372ac38114713 in replxx's git.
-    
-    Building rspamd with gcc10 errors out with "'runtime_error' is not a
-    member of 'std'" otherwise.
-
-diff --git a/contrib/replxx/src/io.cxx b/contrib/replxx/src/io.cxx
-index a09886701..8df176d1c 100644
---- a/contrib/replxx/src/io.cxx
-+++ b/contrib/replxx/src/io.cxx
-@@ -3,6 +3,7 @@
- #include <cstdlib>
- #include <cstring>
- #include <array>
-+#include <stdexcept>
- 
- #ifdef _WIN32
- 
diff --git a/rspamd-moonjit.patch b/rspamd-moonjit.patch
deleted file mode 100644
index f68cae6..0000000
--- a/rspamd-moonjit.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Index: b/cmake/FindLua.cmake
-===================================================================
---- a/cmake/FindLua.cmake
-+++ b/cmake/FindLua.cmake
-@@ -16,6 +16,7 @@ MACRO(FindLua)
-                 "${RSPAMD_SEARCH_PATH}" "${LUA_ROOT}"
-                 $ENV{LUA_DIR}
-                 PATH_SUFFIXES "include/luajit-2.0"
-+		"include/moonjit-2.2"
-                 "include/luajit-2.1"
-                 "include/luajit${LUA_VERSION_MAJOR}${LUA_VERSION_MINOR}"
-                 "include/luajit${LUA_VERSION_MAJOR}.${LUA_VERSION_MINOR}"
-@@ -111,4 +112,4 @@ MACRO(FindLua)
-             MESSAGE(STATUS "Found lua ${LUA_VERSION_MAJOR}.${LUA_VERSION_MINOR} in lib:${LUA_LIBRARY}, headers:${LUA_INCLUDE_DIR}")
-         ENDIF(ENABLE_LUAJIT MATCHES "ON")
-     ENDIF(LUA_LIBRARY AND LUA_INCLUDE_DIR)
--ENDMACRO()
-\ No newline at end of file
-+ENDMACRO()
-Index: b/src/lua/lua_common.h
-===================================================================
---- a/src/lua/lua_common.h
-+++ b/src/lua/lua_common.h
-@@ -41,11 +41,16 @@ luaL_register (lua_State *L, const gchar
- #endif
- 
- #if defined(LUA_VERSION_NUM) && LUA_VERSION_NUM == 501
-+#if 0
-+/* FIXME: need to check for LUAJIT_VERSION_NUM for moonjit
-+          but cannot just include luajit.h unconditionally here 
-+*/
- static inline int lua_absindex (lua_State *L, int i) {
- 	if (i < 0 && i > LUA_REGISTRYINDEX)
- 		i += lua_gettop(L) + 1;
- 	return i;
- }
-+#endif
- static inline int lua_rawgetp (lua_State *L, int i, const void *p) {
- 	int abs_i = lua_absindex(L, i);
- 	lua_pushlightuserdata(L, (void*)p);
diff --git a/rspamd.changes b/rspamd.changes
index c6f4e7e..8c493be 100644
--- a/rspamd.changes
+++ b/rspamd.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Oct  1 09:39:29 UTC 2020 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- update to 2.6
+  * https://rspamd.com/announce/2020/09/30/rspamd-2.6.html
+  * Rework neural network plugin
+  * Rework bitcoin detection library
+  * Fix IDNA bugs
+  * Send more fuzzy module telemetry data to rspamd servers
+  * Drop upstream rspamd-gcc10-buildfix.patch
+  * Drop rspamd-moonjit.patch
+
 -------------------------------------------------------------------
 Wed Aug 12 03:34:28 UTC 2020 - Bernhard Wiedemann <bwiedemann@suse.com>
 
diff --git a/rspamd.spec b/rspamd.spec
index c53fa7f..fc3c71e 100644
--- a/rspamd.spec
+++ b/rspamd.spec
@@ -60,7 +60,7 @@
 %endif
 
 Name:           rspamd
-Version:        2.5
+Version:        2.6
 Release:        0
 License:        Apache-2.0
 Summary:        Spam filtering system
@@ -69,9 +69,6 @@ Group:          Productivity/Networking/Email/Utilities
 Source0:        https://github.com/rspamd/rspamd/archive/%{version}/%{name}-%{version}.tar.gz
 Patch0:         rspamd-conf.patch
 Patch1:         rspamd-after-redis-target.patch
-Patch2:         rspamd-moonjit.patch
-# PATCH-FIX-UPSTREAM
-Patch3:         rspamd-gcc10-buildfix.patch
 BuildRequires:  cmake
 BuildRequires:  curl-devel
 BuildRequires:  db-devel
@@ -161,10 +158,6 @@ This package holds the client tools (rspamc and rspamadm)
 %setup -q
 %patch0 -p1
 %patch1 -p1
-%if %{with moonjit}
-%patch2 -p1
-%endif
-%patch3 -p1
 
 %build
 %if 0%{?force_gcc_version}
@@ -506,6 +499,7 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/override.d
 %{_datadir}/rspamd/lualib/lua_ffi/common.lua
 %{_datadir}/rspamd/lualib/lua_ffi/dkim.lua
 %{_datadir}/rspamd/lualib/lua_ffi/init.lua
+%{_datadir}/rspamd/lualib/lua_ffi/linalg.lua
 %{_datadir}/rspamd/lualib/lua_ffi/spf.lua
 
 %dir %{_datadir}/rspamd/lualib/lua_magic
@@ -534,6 +528,7 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/override.d
 %{_datadir}/rspamd/lualib/lua_scanners/virustotal.lua
 
 %dir %{_datadir}/rspamd/lualib/lua_selectors
+%{_datadir}/rspamd/lualib/lua_selectors/common.lua
 %{_datadir}/rspamd/lualib/lua_selectors/extractors.lua
 %{_datadir}/rspamd/lualib/lua_selectors/init.lua
 %{_datadir}/rspamd/lualib/lua_selectors/maps.lua
@@ -558,6 +553,7 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/override.d
 
 %dir %{_datadir}/rspamd/rules
 %{_datadir}/rspamd/rules/bitcoin.lua
+%{_datadir}/rspamd/rules/bounce.lua
 %{_datadir}/rspamd/rules/content.lua
 %{_datadir}/rspamd/rules/forwarding.lua
 %{_datadir}/rspamd/rules/headers_checks.lua
@@ -573,6 +569,7 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/override.d
 %{_datadir}/rspamd/rules/regexp/headers.lua
 %{_datadir}/rspamd/rules/regexp/misc.lua
 %{_datadir}/rspamd/rules/regexp/upstream_spam_filters.lua
+%{_datadir}/rspamd/rules/controller
 
 %{_mandir}/man8/rspamd.8*
 
@@ -593,12 +590,7 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/override.d
 %{_wwwdir}/%{name}/mstile-150x150.png
 %{_wwwdir}/%{name}/safari-pinned-tab.svg
 
-%dir %{_wwwdir}/%{name}/css
-%{_wwwdir}/%{name}/css/bootstrap.min.css
-%{_wwwdir}/%{name}/css/d3evolution.css
-%{_wwwdir}/%{name}/css/footable.bootstrap.min.css
-%{_wwwdir}/%{name}/css/nprogress.css
-%{_wwwdir}/%{name}/css/rspamd.css
+%{_wwwdir}/%{name}/css
 
 %dir %{_wwwdir}/%{name}/fonts
 %{_wwwdir}/%{name}/fonts/glyphicons-halflings-regular.ttf
@@ -618,21 +610,12 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/override.d
 %{_wwwdir}/%{name}/js/app/graph.js
 %{_wwwdir}/%{name}/js/app/history.js
 %{_wwwdir}/%{name}/js/app/rspamd.js
+%{_wwwdir}/%{name}/js/app/selectors.js
 %{_wwwdir}/%{name}/js/app/stats.js
 %{_wwwdir}/%{name}/js/app/symbols.js
 %{_wwwdir}/%{name}/js/app/upload.js
 
-%dir %{_wwwdir}/%{name}/js/lib
-%{_wwwdir}/%{name}/js/lib/bootstrap.min.js
-%{_wwwdir}/%{name}/js/lib/d3.min.js
-%{_wwwdir}/%{name}/js/lib/d3evolution.min.js
-%{_wwwdir}/%{name}/js/lib/d3pie.min.js
-%{_wwwdir}/%{name}/js/lib/footable.min.js
-%{_wwwdir}/%{name}/js/lib/jquery-3.4.1.min.js
-%{_wwwdir}/%{name}/js/lib/jquery.stickytabs.min.js
-%{_wwwdir}/%{name}/js/lib/nprogress.min.js
-%{_wwwdir}/%{name}/js/lib/require.min.js
-%{_wwwdir}/%{name}/js/lib/visibility.min.js
+%{_wwwdir}/%{name}/js/lib
 
 %if 0%{?with split_out_client}
 %files client

From 78f7c0d727b60f9b13c24023701ee9e3d85f8d64c1c05e395781212499117405 Mon Sep 17 00:00:00 2001
From: Bernhard Wiedemann <bwiedemann@suse.com>
Date: Mon, 5 Oct 2020 11:06:34 +0000
Subject: [PATCH 3/6] Add usr.bin.rspamd apparmor profile

OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=46
---
 rspamd.changes |  5 +++++
 rspamd.spec    |  6 ++++++
 usr.bin.rspamd | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 usr.bin.rspamd

diff --git a/rspamd.changes b/rspamd.changes
index 8c493be..6720344 100644
--- a/rspamd.changes
+++ b/rspamd.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Oct  5 10:42:14 UTC 2020 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Add usr.bin.rspamd apparmor profile
+
 -------------------------------------------------------------------
 Thu Oct  1 09:39:29 UTC 2020 - Bernhard Wiedemann <bwiedemann@suse.com>
 
diff --git a/rspamd.spec b/rspamd.spec
index fc3c71e..0e7e2a5 100644
--- a/rspamd.spec
+++ b/rspamd.spec
@@ -67,6 +67,7 @@ Summary:        Spam filtering system
 Url:            https://rspamd.com/
 Group:          Productivity/Networking/Email/Utilities
 Source0:        https://github.com/rspamd/rspamd/archive/%{version}/%{name}-%{version}.tar.gz
+Source1:        usr.bin.rspamd
 Patch0:         rspamd-conf.patch
 Patch1:         rspamd-after-redis-target.patch
 BuildRequires:  cmake
@@ -123,6 +124,8 @@ Requires:  rspamd-client = %{version}
 %else
 Conflicts: rspamd-client
 %endif
+BuildRequires:  apparmor-abstractions
+Requires:       apparmor-abstractions
 
 %description
 Rspamd is a spam filtering system that allows evaluation of messages
@@ -259,6 +262,7 @@ cat > %{buildroot}%{_sysconfdir}/%{name}/local.d/worker-proxy.inc << EOF
 EOF
 
 install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/override.d
+install -D -m644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.rspamd
 
 %pre
 %{_sbindir}/groupadd -r %{rspamd_group} 2>/dev/null || :
@@ -309,6 +313,8 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/override.d
 %{_libdir}/rspamd/librspamd-kann.so
 %{_libdir}/rspamd/librspamd-replxx.so
 
+%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.rspamd
+
 %dir %{_sysconfdir}/rspamd/
 %config %{_sysconfdir}/rspamd/actions.conf
 %config %{_sysconfdir}/rspamd/cgp.inc
diff --git a/usr.bin.rspamd b/usr.bin.rspamd
new file mode 100644
index 0000000..ed05dcf
--- /dev/null
+++ b/usr.bin.rspamd
@@ -0,0 +1,32 @@
+# Last Modified: Mon Oct  5 10:19:40 2020
+#include <tunables/global>
+
+# based on https://github.com/progmaticltd/homebox/blob/master/install/playbooks/roles/rspamd/templates/apparmor.d/usr.bin.rspamd
+
+
+/usr/bin/rspamd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/php>
+
+  /dev/shm/rhm.* rw,
+  /etc/gai.conf r,
+  /etc/host.conf r,
+  /etc/hosts r,
+  /etc/magic r,
+  /etc/nsswitch.conf r,
+  /etc/resolv.conf r,
+  /etc/rspamd/** r,
+  /lib/x86_64-linux-gnu/ld-*.so mr,
+  /proc/sys/kernel/random/uuid r,
+  /usr/bin/rspamd mr,
+  /usr/share/rspamd/ r,
+  /usr/share/rspamd/** r,
+  /var/cache/nscd/hosts r,
+  /var/lib/rspamd/ r,
+  /var/lib/rspamd/** rwk,
+  /var/log/rspamd/rspamd.log* rwk,
+  /{var/,}run/rspamd/* rwk,
+
+}

From 25d54b28608ad981951dea3f11b93d2ac3a0db30a60dadf8e0d536ca09aaa643 Mon Sep 17 00:00:00 2001
From: Bernhard Wiedemann <bwiedemann@suse.com>
Date: Mon, 5 Oct 2020 12:02:24 +0000
Subject: [PATCH 4/6] allow for clean local overrides for apparmor

OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=47
---
 rspamd.spec    | 5 ++++-
 usr.bin.rspamd | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/rspamd.spec b/rspamd.spec
index 0e7e2a5..acae19f 100644
--- a/rspamd.spec
+++ b/rspamd.spec
@@ -262,7 +262,9 @@ cat > %{buildroot}%{_sysconfdir}/%{name}/local.d/worker-proxy.inc << EOF
 EOF
 
 install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/override.d
+mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/local/
 install -D -m644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.rspamd
+echo "# Site-specific additions and overrides for 'usr.bin.rspamd'" > %{buildroot}%{_sysconfdir}/apparmor.d/local/usr.bin.rspamd
 
 %pre
 %{_sbindir}/groupadd -r %{rspamd_group} 2>/dev/null || :
@@ -313,7 +315,8 @@ install -D -m644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.rspamd
 %{_libdir}/rspamd/librspamd-kann.so
 %{_libdir}/rspamd/librspamd-replxx.so
 
-%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.rspamd
+%config %{_sysconfdir}/apparmor.d/usr.bin.rspamd
+%config(noreplace) %{_sysconfdir}/apparmor.d/local/usr.bin.rspamd
 
 %dir %{_sysconfdir}/rspamd/
 %config %{_sysconfdir}/rspamd/actions.conf
diff --git a/usr.bin.rspamd b/usr.bin.rspamd
index ed05dcf..41a0306 100644
--- a/usr.bin.rspamd
+++ b/usr.bin.rspamd
@@ -9,6 +9,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/openssl>
   #include <abstractions/php>
+  #include <local/usr.bin.rspamd>
 
   /dev/shm/rhm.* rw,
   /etc/gai.conf r,

From 881b98bcf4d67683f33e32bcbcd4106d89d22f10f383038f61d2bd961e337a45 Mon Sep 17 00:00:00 2001
From: Bernhard Wiedemann <bwiedemann@suse.com>
Date: Tue, 6 Oct 2020 02:55:04 +0000
Subject: [PATCH 5/6] cleanup spec

OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=48
---
 rspamd.spec | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/rspamd.spec b/rspamd.spec
index acae19f..8a554cb 100644
--- a/rspamd.spec
+++ b/rspamd.spec
@@ -2,6 +2,7 @@
 # spec file for package rspamd
 #
 # Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -31,11 +32,6 @@
   %if (0%{?suse_version} >= 1315)
     %bcond_without luajit
   %endif
-
-  # Tumbleweed and Leap 15.2 uses moonjit:
-  %if (0%{?suse_version} > 1500) || (0%{?sle_version} >= 150200 && 0%{?is_opensuse})
-    %bcond_without moonjit
-  %endif
 %endif
 
 %if 0%{?suse_version} >= 1500 && ! 0%{?sle_version}

From e7da101e6a25980f63bb01edb333eaa69bdb4de16eda01db907b3bc1738ca2ea Mon Sep 17 00:00:00 2001
From: Marcus Rueckert <mrueckert@suse.com>
Date: Fri, 9 Oct 2020 18:01:48 +0000
Subject: [PATCH 6/6] - fix apparmor profile   - allow reading the webapp dir
 to make the builtin webserver work   - modernize the profile to use a short
 profile name   - remove php abstraction, replaced with rule to read the icu
 data     files   - remove all file rules that are covered by the base and    
 nameservice abstraction   - allow include (with "if exists) for local/rspamd
 and     local/usr.bin.rspamd (for backrwards compat)

OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=49
---
 rspamd.changes | 13 +++++++++++++
 usr.bin.rspamd | 34 ++++++++++++++++++----------------
 2 files changed, 31 insertions(+), 16 deletions(-)

diff --git a/rspamd.changes b/rspamd.changes
index 6720344..5e06c8e 100644
--- a/rspamd.changes
+++ b/rspamd.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Oct  9 17:51:10 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
+
+- fix apparmor profile
+  - allow reading the webapp dir to make the builtin webserver work
+  - modernize the profile to use a short profile name
+  - remove php abstraction, replaced with rule to read the icu data
+    files
+  - remove all file rules that are covered by the base and
+    nameservice abstraction
+  - allow include (with "if exists) for local/rspamd and
+    local/usr.bin.rspamd (for backrwards compat)
+
 -------------------------------------------------------------------
 Mon Oct  5 10:42:14 UTC 2020 - Bernhard Wiedemann <bwiedemann@suse.com>
 
diff --git a/usr.bin.rspamd b/usr.bin.rspamd
index 41a0306..aa65088 100644
--- a/usr.bin.rspamd
+++ b/usr.bin.rspamd
@@ -3,31 +3,33 @@
 
 # based on https://github.com/progmaticltd/homebox/blob/master/install/playbooks/roles/rspamd/templates/apparmor.d/usr.bin.rspamd
 
-
-/usr/bin/rspamd {
+profile rspamd /usr/bin/rspamd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/openssl>
-  #include <abstractions/php>
-  #include <local/usr.bin.rspamd>
+  #include <abstractions/ssl_certs>
 
-  /dev/shm/rhm.* rw,
-  /etc/gai.conf r,
-  /etc/host.conf r,
-  /etc/hosts r,
-  /etc/magic r,
-  /etc/nsswitch.conf r,
-  /etc/resolv.conf r,
-  /etc/rspamd/** r,
-  /lib/x86_64-linux-gnu/ld-*.so mr,
-  /proc/sys/kernel/random/uuid r,
   /usr/bin/rspamd mr,
+
+  /etc/rspamd/** r,
+
+  /srv/www/webapps/rspamd/ r,
+  /srv/www/webapps/rspamd/** r,
   /usr/share/rspamd/ r,
   /usr/share/rspamd/** r,
-  /var/cache/nscd/hosts r,
+
   /var/lib/rspamd/ r,
   /var/lib/rspamd/** rwk,
+
   /var/log/rspamd/rspamd.log* rwk,
   /{var/,}run/rspamd/* rwk,
 
-}
+  /dev/shm/rhm.* rw,
+  /etc/magic r,
+  /proc/sys/kernel/random/uuid r,
+
+  /usr/share/icu/*/icu*.dat r,
+
+  #include if exists <local/usr.bin.rspamd>
+  #include if exists <local/rspamd>
+}
\ No newline at end of file