From cdbe98d4c096a0ddc6ffdae701ad5e5e1634c6914e2300b35a58f9a5cf65efec Mon Sep 17 00:00:00 2001
From: Andreas Stieger <andreas.stieger@gmx.de>
Date: Fri, 1 May 2015 12:52:46 +0000
Subject: [PATCH 1/2] Accepting request 304823 from
 home:jengelh:branches:Base:System

- Documentation does not depend on the presence of anything

OBS-URL: https://build.opensuse.org/request/show/304823
OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=223
---
 rsyslog.changes | 5 +++++
 rsyslog.spec    | 3 +--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/rsyslog.changes b/rsyslog.changes
index eaa91ce..119d529 100644
--- a/rsyslog.changes
+++ b/rsyslog.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Apr 30 12:39:07 UTC 2015 - jengelh@inai.de
+
+- Documentation does not depend on the presence of anything
+
 -------------------------------------------------------------------
 Mon Apr 20 14:22:32 UTC 2015 - jsegitz@novell.com
 
diff --git a/rsyslog.spec b/rsyslog.spec
index 18392d7..9670c56 100644
--- a/rsyslog.spec
+++ b/rsyslog.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package rsyslog
 #
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -231,7 +231,6 @@ protected syslog relay chains while at the same time being very easy to
 setup for the novice user.
 
 %package doc
-Requires:       %{name} = %{version}
 Summary:        Additional documentation for rsyslog
 Group:          System/Daemons
 

From 6e5c43c19017e6fb6acf0f2df15c471bea090233d208d60b1969a75ca9882226 Mon Sep 17 00:00:00 2001
From: Andreas Stieger <andreas.stieger@gmx.de>
Date: Thu, 7 May 2015 20:28:26 +0000
Subject: [PATCH 2/2] Accepting request 305427 from
 home:jsegitz:branches:Base:System

- Adjusted apparmor profile based on the suggestions by Christian Boltz
  * Removed empty files: module-pgsql, module-relp, module-gssapi, module-gtls
  * Moved profiles to /usr/share/apparmor/extra-profiles/
  * Blocked capability block_suspend
  plus some other small fixes

OBS-URL: https://build.opensuse.org/request/show/305427
OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=224
---
 module-gssapi     |  3 ---
 module-gtls       |  4 ----
 module-mysql      |  2 +-
 module-pgsql      |  1 -
 module-relp       |  1 -
 rsyslog.changes   |  9 +++++++++
 rsyslog.spec      | 43 +++++++++++--------------------------------
 usr.sbin.rsyslogd |  8 +++++++-
 8 files changed, 28 insertions(+), 43 deletions(-)
 delete mode 100644 module-gssapi
 delete mode 100644 module-gtls
 delete mode 100644 module-pgsql
 delete mode 100644 module-relp

diff --git a/module-gssapi b/module-gssapi
deleted file mode 100644
index d972f0c..0000000
--- a/module-gssapi
+++ /dev/null
@@ -1,3 +0,0 @@
-  # rsyslog-module-gssapi
-  # couldn't test because not kerberos server is available
-  # but it shouldn't require any special permissions anyhow
diff --git a/module-gtls b/module-gtls
deleted file mode 100644
index fc1b855..0000000
--- a/module-gtls
+++ /dev/null
@@ -1,4 +0,0 @@
-  # for logging via TLS (rsyslog-module-gtls)
-  # keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
-  # rsyslog tries to write to the certificates for no reason, so deny this quietly
-  deny /etc/rsyslog.d/* w,
diff --git a/module-mysql b/module-mysql
index 3fd9a78..5fa505e 100644
--- a/module-mysql
+++ b/module-mysql
@@ -3,4 +3,4 @@
   #include <abstractions/p11-kit>
   /etc/my.cnf r,
   /etc/my.cnf.d/ r,
-  /etc/my.cnf.d/default_plugins.cnf r,
+  /etc/my.cnf.d/* r,
diff --git a/module-pgsql b/module-pgsql
deleted file mode 100644
index acc01f1..0000000
--- a/module-pgsql
+++ /dev/null
@@ -1 +0,0 @@
-  # for logging to postgresql (rsyslog-module-pgsql)
diff --git a/module-relp b/module-relp
deleted file mode 100644
index 58dc544..0000000
--- a/module-relp
+++ /dev/null
@@ -1 +0,0 @@
-  # for logging via relp (rsyslog-module-relp)
diff --git a/rsyslog.changes b/rsyslog.changes
index 119d529..279ae43 100644
--- a/rsyslog.changes
+++ b/rsyslog.changes
@@ -3,6 +3,15 @@ Thu Apr 30 12:39:07 UTC 2015 - jengelh@inai.de
 
 - Documentation does not depend on the presence of anything
 
+-------------------------------------------------------------------
+Mon Apr 27 14:53:52 UTC 2015 - jsegitz@novell.com
+
+- Adjusted apparmor profile based on the suggestions by Christian Boltz
+  * Removed empty files: module-pgsql, module-relp, module-gssapi, module-gtls
+  * Moved profiles to /usr/share/apparmor/extra-profiles/
+  * Blocked capability block_suspend
+  plus some other small fixes
+
 -------------------------------------------------------------------
 Mon Apr 20 14:22:32 UTC 2015 - jsegitz@novell.com
 
diff --git a/rsyslog.spec b/rsyslog.spec
index 9670c56..7767e66 100644
--- a/rsyslog.spec
+++ b/rsyslog.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package rsyslog
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -200,13 +200,9 @@ Source2:        rsyslog.conf.in
 Source4:        rsyslog.d.remote.conf.in
 Source5:        rsyslog-service-prepare.in
 Source6:        usr.sbin.rsyslogd
-Source7:        module-gssapi
-Source8:        module-gtls
-Source9:        module-mysql
-Source10:       module-pgsql
-Source11:       module-relp
-Source12:       module-snmp
-Source13:       module-udpspoof
+Source7:        module-mysql
+Source8:        module-snmp
+Source9:        module-udpspoof
 Source14:       http://www.rsyslog.com/files/download/rsyslog/rsyslog-doc-%{upstream_version}.tar.gz
 Source15:       rsyslog.firewall
 
@@ -215,11 +211,10 @@ Patch0:         rsyslog-unit.patch
 
 # this is a dirty hack since % dir does only work for the specified directory and nothing above
 # but I want to be able to switch this to /etc/apparmor.d once the profiles received more testing
-%define APPARMOR_PROFILE_PATH /etc/apparmor/profiles/extras
-%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /etc/apparmor/ \
-                                           %dir /etc/apparmor/profiles \
-                                           %dir /etc/apparmor/profiles/extras \
-                                           %dir /etc/apparmor/profiles/extras/rsyslog.d
+%define APPARMOR_PROFILE_PATH /usr/share/apparmor/extra-profiles
+%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /usr/share/apparmor \
+                                           %dir /usr/share/apparmor/extra-profiles \
+                                           %dir /usr/share/apparmor/extra-profiles/rsyslog.d
 
 %description
 Rsyslog is an enhanced multi-threaded syslogd supporting, among others,
@@ -736,26 +731,14 @@ touch %{buildroot}%{rsyslog_sockets_cfg}
 chmod 644 %{buildroot}%{rsyslog_sockets_cfg}
 mkdir -p %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
 install -m0640 %{SOURCE6} %{buildroot}%{APPARMOR_PROFILE_PATH}/
-%if %{with gssapi}
+%if %{with mysql}
   install -m0640 %{SOURCE7} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
 %endif
-%if %{with gnutls}
+%if %{with snmp}
   install -m0640 %{SOURCE8} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
 %endif
-%if %{with mysql}
-  install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
-%endif
-%if %{with pgsql}
-  install -m0640 %{SOURCE10} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
-%endif
-%if %{with relp}
-  install -m0640 %{SOURCE11} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
-%endif
-%if %{with snmp}
-  install -m0640 %{SOURCE12} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
-%endif
 %if %{with udpspoof}
-  install -m0640 %{SOURCE13} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+  install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
 %endif
 
 # firewall config
@@ -993,7 +976,6 @@ fi
 %{rsyslog_module_dir_withdeps}/omgssapi.so
 %{rsyslog_module_dir_withdeps}/imgssapi.so
 %{rsyslog_module_dir_withdeps}/lmgssutil.so
-%config  %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gssapi
 %endif
 
 %if %{with mysql}
@@ -1011,7 +993,6 @@ fi
 %defattr(-,root,root)
 %doc %{rsyslogdocdir}/pgsql-createDB.sql
 %{rsyslog_module_dir_withdeps}/ompgsql.so
-%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-pgsql
 %endif
 
 %if %{with dbi}
@@ -1035,7 +1016,6 @@ fi
 %files module-gtls
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/lmnsd_gtls.so
-%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gtls
 %endif
 
 %if %{with relp}
@@ -1044,7 +1024,6 @@ fi
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/imrelp.so
 %{rsyslog_module_dir_withdeps}/omrelp.so
-%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-relp
 %endif
 
 %if %{with mmnormalize}
diff --git a/usr.sbin.rsyslogd b/usr.sbin.rsyslogd
index 504fd90..d718455 100644
--- a/usr.sbin.rsyslogd
+++ b/usr.sbin.rsyslogd
@@ -16,11 +16,11 @@
   # general networking is allowed here
   #include <abstractions/nameservice>
 
-  capability block_suspend,
   capability dac_override,
   capability sys_nice,
   capability sys_tty_config,
   capability syslog,
+  deny capability block_suspend,
 
   /dev/tty* w,
   /dev/xconsole rw,
@@ -33,6 +33,7 @@
   /usr/sbin/rsyslogd mr,
 
   /var/log/** rw,
+  /var/lib/*/dev/log w,
 
   /proc/kmsg r,
 
@@ -43,4 +44,9 @@
   # include rules for rsyslog-module-* packages
   # change that to <rsyslog.d> once it is moved to /etc/apparmor.d
   #include "/etc/apparmor/profiles/extras/rsyslog.d"
+  
+  # for logging via TLS (rsyslog-module-gtls)
+  # keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
+  # rsyslog tries to write to the certificates for no reason, so deny this quietly
+  deny /etc/rsyslog.d/* w,
 }