Accepting request 305427 from home:jsegitz:branches:Base:System

- Adjusted apparmor profile based on the suggestions by Christian Boltz * Removed empty files: module-pgsql, module-relp, module-gssapi, module-gtls * Moved profiles to /usr/share/apparmor/extra-profiles/ * Blocked capability block_suspend plus some other small fixes OBS-URL: https://build.opensuse.org/request/show/305427 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=224
2015-05-07 20:28:26 +00:00 · 2015-05-07 20:28:26 +00:00 · 6e5c43c190
commit 6e5c43c190
parent cdbe98d4c0
8 changed files with 28 additions and 43 deletions
--- a/3
+++ b/3
@ -1,3 +0,0 @@
-  # rsyslog-module-gssapi
-  # couldn't test because not kerberos server is available
-  # but it shouldn't require any special permissions anyhow
--- a/4
+++ b/4
@ -1,4 +0,0 @@
-  # for logging via TLS (rsyslog-module-gtls)
-  # keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
-  # rsyslog tries to write to the certificates for no reason, so deny this quietly
-  deny /etc/rsyslog.d/* w,
--- a/2
+++ b/2
@ -3,4 +3,4 @@
  #include <abstractions/p11-kit>
  /etc/my.cnf r,
  /etc/my.cnf.d/ r,
-  /etc/my.cnf.d/default_plugins.cnf r,
+  /etc/my.cnf.d/* r,
--- a/1
+++ b/1
@ -1 +0,0 @@
-  # for logging to postgresql (rsyslog-module-pgsql)
--- a/1
+++ b/1
@ -1 +0,0 @@
-  # for logging via relp (rsyslog-module-relp)
--- a/rsyslog.changes
+++ b/rsyslog.changes
@ -3,6 +3,15 @@ Thu Apr 30 12:39:07 UTC 2015 - jengelh@inai.de

 - Documentation does not depend on the presence of anything

+-------------------------------------------------------------------
+Mon Apr 27 14:53:52 UTC 2015 - jsegitz@novell.com
+
+- Adjusted apparmor profile based on the suggestions by Christian Boltz
+  * Removed empty files: module-pgsql, module-relp, module-gssapi, module-gtls
+  * Moved profiles to /usr/share/apparmor/extra-profiles/
+  * Blocked capability block_suspend
+  plus some other small fixes
+
 -------------------------------------------------------------------
 Mon Apr 20 14:22:32 UTC 2015 - jsegitz@novell.com

--- a/rsyslog.spec
+++ b/rsyslog.spec
@ -1,7 +1,7 @@
 #
 # spec file for package rsyslog
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -200,13 +200,9 @@ Source2:        rsyslog.conf.in
 Source4:        rsyslog.d.remote.conf.in
 Source5:        rsyslog-service-prepare.in
 Source6:        usr.sbin.rsyslogd
-Source7:        module-gssapi
-Source8:        module-gtls
-Source9:        module-mysql
-Source10:       module-pgsql
-Source11:       module-relp
-Source12:       module-snmp
-Source13:       module-udpspoof
+Source7:        module-mysql
+Source8:        module-snmp
+Source9:        module-udpspoof
 Source14:       http://www.rsyslog.com/files/download/rsyslog/rsyslog-doc-%{upstream_version}.tar.gz
 Source15:       rsyslog.firewall

@ -215,11 +211,10 @@ Patch0:         rsyslog-unit.patch

 # this is a dirty hack since % dir does only work for the specified directory and nothing above
 # but I want to be able to switch this to /etc/apparmor.d once the profiles received more testing
-%define APPARMOR_PROFILE_PATH /etc/apparmor/profiles/extras
-%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /etc/apparmor/ \
-                                           %dir /etc/apparmor/profiles \
-                                           %dir /etc/apparmor/profiles/extras \
-                                           %dir /etc/apparmor/profiles/extras/rsyslog.d
+%define APPARMOR_PROFILE_PATH /usr/share/apparmor/extra-profiles
+%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /usr/share/apparmor \
+                                           %dir /usr/share/apparmor/extra-profiles \
+                                           %dir /usr/share/apparmor/extra-profiles/rsyslog.d

 %description
 Rsyslog is an enhanced multi-threaded syslogd supporting, among others,
@ -736,26 +731,14 @@ touch %{buildroot}%{rsyslog_sockets_cfg}
 chmod 644 %{buildroot}%{rsyslog_sockets_cfg}
 mkdir -p %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
 install -m0640 %{SOURCE6} %{buildroot}%{APPARMOR_PROFILE_PATH}/
-%if %{with gssapi}
+%if %{with mysql}
  install -m0640 %{SOURCE7} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
 %endif
-%if %{with gnutls}
+%if %{with snmp}
  install -m0640 %{SOURCE8} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
 %endif
-%if %{with mysql}
-  install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
-%endif
-%if %{with pgsql}
-  install -m0640 %{SOURCE10} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
-%endif
-%if %{with relp}
-  install -m0640 %{SOURCE11} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
-%endif
-%if %{with snmp}
-  install -m0640 %{SOURCE12} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
-%endif
 %if %{with udpspoof}
-  install -m0640 %{SOURCE13} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+  install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
 %endif

 # firewall config
@ -993,7 +976,6 @@ fi
 %{rsyslog_module_dir_withdeps}/omgssapi.so
 %{rsyslog_module_dir_withdeps}/imgssapi.so
 %{rsyslog_module_dir_withdeps}/lmgssutil.so
-%config  %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gssapi
 %endif

 %if %{with mysql}
@ -1011,7 +993,6 @@ fi
 %defattr(-,root,root)
 %doc %{rsyslogdocdir}/pgsql-createDB.sql
 %{rsyslog_module_dir_withdeps}/ompgsql.so
-%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-pgsql
 %endif

 %if %{with dbi}
@ -1035,7 +1016,6 @@ fi
 %files module-gtls
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/lmnsd_gtls.so
-%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gtls
 %endif

 %if %{with relp}
@ -1044,7 +1024,6 @@ fi
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/imrelp.so
 %{rsyslog_module_dir_withdeps}/omrelp.so
-%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-relp
 %endif

 %if %{with mmnormalize}
--- a/usr.sbin.rsyslogd
+++ b/usr.sbin.rsyslogd
@ -16,11 +16,11 @@
  # general networking is allowed here
  #include <abstractions/nameservice>

-  capability block_suspend,
  capability dac_override,
  capability sys_nice,
  capability sys_tty_config,
  capability syslog,
+  deny capability block_suspend,

  /dev/tty* w,
  /dev/xconsole rw,
@ -33,6 +33,7 @@
  /usr/sbin/rsyslogd mr,

  /var/log/** rw,
+  /var/lib/*/dev/log w,

  /proc/kmsg r,

@ -43,4 +44,9 @@
  # include rules for rsyslog-module-* packages
  # change that to <rsyslog.d> once it is moved to /etc/apparmor.d
  #include "/etc/apparmor/profiles/extras/rsyslog.d"
+  
+  # for logging via TLS (rsyslog-module-gtls)
+  # keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
+  # rsyslog tries to write to the certificates for no reason, so deny this quietly
+  deny /etc/rsyslog.d/* w,
 }
				`@ -1 +0,0 @@`
				`# for logging to postgresql (rsyslog-module-pgsql)`
				`@ -1 +0,0 @@`
				`# for logging via relp (rsyslog-module-relp)`