- apparmor profile fixes:

- include abstractions that give access to the openssl config, ssl certs and ssl keys - include local configs only with "if exists" so they do not have to exist. - move local files to %ghost OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=226
2020-10-24 01:23:11 +00:00 · 2020-10-24 01:23:11 +00:00 · bdec498733
commit bdec498733
parent 6202e19018
3 changed files with 19 additions and 3 deletions
--- a/haproxy.changes
+++ b/haproxy.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Sat Oct 24 01:18:29 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
+
+- apparmor profile fixes:
+  - include abstractions that give access to the openssl config,
+    ssl certs and ssl keys
+  - include local configs only with "if exists" so they do not have
+    to exist.
+- move local files to %ghost
+
 -------------------------------------------------------------------
 Fri Oct  2 14:38:51 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

--- a/haproxy.spec
+++ b/haproxy.spec
@ -203,6 +203,7 @@ install -D -m 0644 contrib/syntax-highlight/haproxy.vim     %{buildroot}%{vim_da
 install -D -m 0644 doc/%{pkg_name}.1        %{buildroot}%{_mandir}/man1/%{pkg_name}.1
 %if %{with apparmor}
 install -D -m 0644 %{S:2}                   %{buildroot}/etc/apparmor.d/usr.sbin.haproxy
+install -D -m 0644 %{S:3}                   %{buildroot}/etc/apparmor.d/local/haproxy
 install -D -m 0644 %{S:3}                   %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy
 %endif

@ -281,8 +282,9 @@ getent passwd %{pkg_name} >/dev/null || \
 %if 0%{?suse_version} == 1110
 %dir /etc/apparmor.d/local/
 %endif
-%config(noreplace) /etc/apparmor.d/usr.sbin.haproxy
-%config(noreplace) /etc/apparmor.d/local/usr.sbin.haproxy
+%config(noreplace)        /etc/apparmor.d/usr.sbin.haproxy
+%config(noreplace) %ghost /etc/apparmor.d/local/haproxy
+%config(noreplace) %ghost /etc/apparmor.d/local/usr.sbin.haproxy
 %endif

 %changelog
--- a/usr.sbin.haproxy.apparmor
+++ b/usr.sbin.haproxy.apparmor
@ -2,6 +2,9 @@

 profile haproxy /usr/sbin/haproxy {
  #include <abstractions/base>
+  #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/ssl_keys>
  #include <abstractions/nameservice>
  capability net_bind_service,
  capability setgid,
@ -29,5 +32,6 @@ profile haproxy /usr/sbin/haproxy {
  /{,var/}run/haproxy-master.sock* rwlk,

  # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.haproxy>
+  #include if exists <local/haproxy>
+  #include if exists <local/usr.sbin.haproxy>
 }