Accepting request 305835 from Base:System
apparmor profile change and doc dependency update OBS-URL: https://build.opensuse.org/request/show/305835 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rsyslog?expand=0&rev=106
This commit is contained in:
Stephan Kulow
Git OBS Bridge
commit
f4bf4a26d1
@ -1,3 +0,0 @@
|
|||||||
# rsyslog-module-gssapi
|
|
||||||
# couldn't test because not kerberos server is available
|
|
||||||
# but it shouldn't require any special permissions anyhow
|
|
||||||
@ -1,4 +0,0 @@
|
|||||||
# for logging via TLS (rsyslog-module-gtls)
|
|
||||||
# keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
|
|
||||||
# rsyslog tries to write to the certificates for no reason, so deny this quietly
|
|
||||||
deny /etc/rsyslog.d/* w,
|
|
||||||
@ -3,4 +3,4 @@
|
|||||||
#include <abstractions/p11-kit>
|
#include <abstractions/p11-kit>
|
||||||
/etc/my.cnf r,
|
/etc/my.cnf r,
|
||||||
/etc/my.cnf.d/ r,
|
/etc/my.cnf.d/ r,
|
||||||
/etc/my.cnf.d/default_plugins.cnf r,
|
/etc/my.cnf.d/* r,
|
||||||
|
|||||||
@ -1 +0,0 @@
|
|||||||
# for logging to postgresql (rsyslog-module-pgsql)
|
|
||||||
@ -1 +0,0 @@
|
|||||||
# for logging via relp (rsyslog-module-relp)
|
|
||||||
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 30 12:39:07 UTC 2015 - jengelh@inai.de
|
||||||
|
|
||||||
|
- Documentation does not depend on the presence of anything
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Apr 27 14:53:52 UTC 2015 - jsegitz@novell.com
|
||||||
|
|
||||||
|
- Adjusted apparmor profile based on the suggestions by Christian Boltz
|
||||||
|
* Removed empty files: module-pgsql, module-relp, module-gssapi, module-gtls
|
||||||
|
* Moved profiles to /usr/share/apparmor/extra-profiles/
|
||||||
|
* Blocked capability block_suspend
|
||||||
|
plus some other small fixes
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Apr 20 14:22:32 UTC 2015 - jsegitz@novell.com
|
Mon Apr 20 14:22:32 UTC 2015 - jsegitz@novell.com
|
||||||
|
|
||||||
|
|||||||
42
rsyslog.spec
42
rsyslog.spec
@ -200,13 +200,9 @@ Source2: rsyslog.conf.in
|
|||||||
Source4: rsyslog.d.remote.conf.in
|
Source4: rsyslog.d.remote.conf.in
|
||||||
Source5: rsyslog-service-prepare.in
|
Source5: rsyslog-service-prepare.in
|
||||||
Source6: usr.sbin.rsyslogd
|
Source6: usr.sbin.rsyslogd
|
||||||
Source7: module-gssapi
|
Source7: module-mysql
|
||||||
Source8: module-gtls
|
Source8: module-snmp
|
||||||
Source9: module-mysql
|
Source9: module-udpspoof
|
||||||
Source10: module-pgsql
|
|
||||||
Source11: module-relp
|
|
||||||
Source12: module-snmp
|
|
||||||
Source13: module-udpspoof
|
|
||||||
Source14: http://www.rsyslog.com/files/download/rsyslog/rsyslog-doc-%{upstream_version}.tar.gz
|
Source14: http://www.rsyslog.com/files/download/rsyslog/rsyslog-doc-%{upstream_version}.tar.gz
|
||||||
Source15: rsyslog.firewall
|
Source15: rsyslog.firewall
|
||||||
|
|
||||||
@ -215,11 +211,10 @@ Patch0: rsyslog-unit.patch
|
|||||||
|
|
||||||
# this is a dirty hack since % dir does only work for the specified directory and nothing above
|
# this is a dirty hack since % dir does only work for the specified directory and nothing above
|
||||||
# but I want to be able to switch this to /etc/apparmor.d once the profiles received more testing
|
# but I want to be able to switch this to /etc/apparmor.d once the profiles received more testing
|
||||||
%define APPARMOR_PROFILE_PATH /etc/apparmor/profiles/extras
|
%define APPARMOR_PROFILE_PATH /usr/share/apparmor/extra-profiles
|
||||||
%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /etc/apparmor/ \
|
%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /usr/share/apparmor \
|
||||||
%dir /etc/apparmor/profiles \
|
%dir /usr/share/apparmor/extra-profiles \
|
||||||
%dir /etc/apparmor/profiles/extras \
|
%dir /usr/share/apparmor/extra-profiles/rsyslog.d
|
||||||
%dir /etc/apparmor/profiles/extras/rsyslog.d
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Rsyslog is an enhanced multi-threaded syslogd supporting, among others,
|
Rsyslog is an enhanced multi-threaded syslogd supporting, among others,
|
||||||
@ -231,7 +226,6 @@ protected syslog relay chains while at the same time being very easy to
|
|||||||
setup for the novice user.
|
setup for the novice user.
|
||||||
|
|
||||||
%package doc
|
%package doc
|
||||||
Requires: %{name} = %{version}
|
|
||||||
Summary: Additional documentation for rsyslog
|
Summary: Additional documentation for rsyslog
|
||||||
Group: System/Daemons
|
Group: System/Daemons
|
||||||
|
|
||||||
@ -737,26 +731,14 @@ touch %{buildroot}%{rsyslog_sockets_cfg}
|
|||||||
chmod 644 %{buildroot}%{rsyslog_sockets_cfg}
|
chmod 644 %{buildroot}%{rsyslog_sockets_cfg}
|
||||||
mkdir -p %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
mkdir -p %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
||||||
install -m0640 %{SOURCE6} %{buildroot}%{APPARMOR_PROFILE_PATH}/
|
install -m0640 %{SOURCE6} %{buildroot}%{APPARMOR_PROFILE_PATH}/
|
||||||
%if %{with gssapi}
|
%if %{with mysql}
|
||||||
install -m0640 %{SOURCE7} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
install -m0640 %{SOURCE7} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
||||||
%endif
|
%endif
|
||||||
%if %{with gnutls}
|
%if %{with snmp}
|
||||||
install -m0640 %{SOURCE8} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
install -m0640 %{SOURCE8} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
||||||
%endif
|
%endif
|
||||||
%if %{with mysql}
|
|
||||||
install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
|
||||||
%endif
|
|
||||||
%if %{with pgsql}
|
|
||||||
install -m0640 %{SOURCE10} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
|
||||||
%endif
|
|
||||||
%if %{with relp}
|
|
||||||
install -m0640 %{SOURCE11} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
|
||||||
%endif
|
|
||||||
%if %{with snmp}
|
|
||||||
install -m0640 %{SOURCE12} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
|
||||||
%endif
|
|
||||||
%if %{with udpspoof}
|
%if %{with udpspoof}
|
||||||
install -m0640 %{SOURCE13} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# firewall config
|
# firewall config
|
||||||
@ -994,7 +976,6 @@ fi
|
|||||||
%{rsyslog_module_dir_withdeps}/omgssapi.so
|
%{rsyslog_module_dir_withdeps}/omgssapi.so
|
||||||
%{rsyslog_module_dir_withdeps}/imgssapi.so
|
%{rsyslog_module_dir_withdeps}/imgssapi.so
|
||||||
%{rsyslog_module_dir_withdeps}/lmgssutil.so
|
%{rsyslog_module_dir_withdeps}/lmgssutil.so
|
||||||
%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gssapi
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with mysql}
|
%if %{with mysql}
|
||||||
@ -1012,7 +993,6 @@ fi
|
|||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%doc %{rsyslogdocdir}/pgsql-createDB.sql
|
%doc %{rsyslogdocdir}/pgsql-createDB.sql
|
||||||
%{rsyslog_module_dir_withdeps}/ompgsql.so
|
%{rsyslog_module_dir_withdeps}/ompgsql.so
|
||||||
%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-pgsql
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with dbi}
|
%if %{with dbi}
|
||||||
@ -1036,7 +1016,6 @@ fi
|
|||||||
%files module-gtls
|
%files module-gtls
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%{rsyslog_module_dir_withdeps}/lmnsd_gtls.so
|
%{rsyslog_module_dir_withdeps}/lmnsd_gtls.so
|
||||||
%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gtls
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with relp}
|
%if %{with relp}
|
||||||
@ -1045,7 +1024,6 @@ fi
|
|||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%{rsyslog_module_dir_withdeps}/imrelp.so
|
%{rsyslog_module_dir_withdeps}/imrelp.so
|
||||||
%{rsyslog_module_dir_withdeps}/omrelp.so
|
%{rsyslog_module_dir_withdeps}/omrelp.so
|
||||||
%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-relp
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with mmnormalize}
|
%if %{with mmnormalize}
|
||||||
|
|||||||
@ -16,11 +16,11 @@
|
|||||||
# general networking is allowed here
|
# general networking is allowed here
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
|
|
||||||
capability block_suspend,
|
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
capability sys_nice,
|
capability sys_nice,
|
||||||
capability sys_tty_config,
|
capability sys_tty_config,
|
||||||
capability syslog,
|
capability syslog,
|
||||||
|
deny capability block_suspend,
|
||||||
|
|
||||||
/dev/tty* w,
|
/dev/tty* w,
|
||||||
/dev/xconsole rw,
|
/dev/xconsole rw,
|
||||||
@ -33,6 +33,7 @@
|
|||||||
/usr/sbin/rsyslogd mr,
|
/usr/sbin/rsyslogd mr,
|
||||||
|
|
||||||
/var/log/** rw,
|
/var/log/** rw,
|
||||||
|
/var/lib/*/dev/log w,
|
||||||
|
|
||||||
/proc/kmsg r,
|
/proc/kmsg r,
|
||||||
|
|
||||||
@ -43,4 +44,9 @@
|
|||||||
# include rules for rsyslog-module-* packages
|
# include rules for rsyslog-module-* packages
|
||||||
# change that to <rsyslog.d> once it is moved to /etc/apparmor.d
|
# change that to <rsyslog.d> once it is moved to /etc/apparmor.d
|
||||||
#include "/etc/apparmor/profiles/extras/rsyslog.d"
|
#include "/etc/apparmor/profiles/extras/rsyslog.d"
|
||||||
|
|
||||||
|
# for logging via TLS (rsyslog-module-gtls)
|
||||||
|
# keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
|
||||||
|
# rsyslog tries to write to the certificates for no reason, so deny this quietly
|
||||||
|
deny /etc/rsyslog.d/* w,
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user