Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2015-10-17 16:38:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2015-09-24 06:13:31.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2015-10-17 16:38:04.000000000 +0200 @@ -1,0 +2,17 @@ +Wed Oct 7 16:12:24 UTC 2015 - [email protected] + +- add syslog-ng-profile-boo948584.diff - add several permissions needed + by latest syslog-ng (boo#948584, boo#948753) +- add upstream-profile-updates-r3205-3241.diff with several profile updates: + - add /usr/share/locale-bundle/** to abstractions/base + - allow dnsmask to use /bin/sh (boo#940749) and /bin/dash + - allow dovecot imap to read /run/dovecot/mounts + - allow avahi-daemon to write to /run/systemd/notify + - allow ntpd to read $PATH directory listings (boo#945592, boo#948752) + - update dhclient profile + - allow skype to read @{PROC}/@{pid}/net/dev (boo#939568) + - and some other small updates +- drop upstreamed apparmor-winbindd-r3213.diff (included in the + upstream-profile-updates patch) + +------------------------------------------------------------------- Old: ---- apparmor-winbindd-r3213.diff New: ---- syslog-ng-profile-boo948584.diff upstream-profile-updates-r3205-3241.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.yYKnYY/_old 2015-10-17 16:38:05.000000000 +0200 +++ /var/tmp/diff_new_pack.yYKnYY/_new 2015-10-17 16:38:05.000000000 +0200 @@ -95,8 +95,11 @@ # boo#862170 - fix ugly initscript output (commited upstream trunk r3208) Patch8: fix-initscript-aa_log_end_msg.diff -# additional winbindd permissions (commited upstream trunk r3213, 2.9 r2946) - (boo#921098 #c15..19) -Patch9: apparmor-winbindd-r3213.diff +# additional syslog-ng permissions (submitted upstream 2015-10-07) (boo#948584, boo#948753) +Patch9: syslog-ng-profile-boo948584.diff + +# several profile updates taken from upstream bzr trunk r3205..3241 +Patch10: upstream-profile-updates-r3205-3241.diff Url: https://launchpad.net/apparmor PreReq: sed @@ -448,6 +451,7 @@ %patch7 -p1 %patch8 %patch9 +%patch10 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" ++++++ syslog-ng-profile-boo948584.diff ++++++ === modified file 'profiles/apparmor.d/sbin.syslog-ng' --- profiles/apparmor.d/sbin.syslog-ng 2015-03-07 20:16:11 +0000 +++ profiles/apparmor.d/sbin.syslog-ng 2015-10-07 10:33:01 +0000 @@ -20,6 +20,7 @@ #include <abstractions/consoles> #include <abstractions/nameservice> #include <abstractions/mysql> + #include <abstractions/openssl> capability chown, capability dac_override, @@ -37,7 +38,10 @@ /dev/syslog w, /dev/tty10 rw, /dev/xconsole rw, + /etc/machine-id r, /etc/syslog-ng/* r, + /etc/syslog-ng/conf.d/ r, + /etc/syslog-ng/conf.d/* r, @{PROC}/kmsg r, /etc/hosts.deny r, /etc/hosts.allow r, @@ -50,6 +54,10 @@ @{CHROOT_BASE}/var/log/** w, @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw, @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw, + /var/log/journal/ r, + /var/log/journal/*/ r, + /var/log/journal/*/*.journal r, + /{var/,}run/syslog-ng.ctl a, /{var/,}run/syslog-ng/additional-log-sockets.conf r, # Site-specific additions and overrides. See local/README for details. ++++++ upstream-profile-updates-r3205-3241.diff ++++++ AppArmor bzr trunk bzr diff -r3205..3241 profiles/ (+ abstractions/X change modified to single line syntax) ------------------------------------------------------------ revno: 3238 committer: Christian Boltz <[email protected]> branch nick: apparmor timestamp: Fri 2015-09-18 19:06:47 +0200 message: dnsmasq profile - also allow /bin/sh This patch is based on a SLE12 patch to allow executing the --dhcp-script. We already have most parts of that patch since r2841, however the SLE bugreport indicates that /bin/sh is executed (which is usually a symlink to /bin/bash or /bin/dash), so we should also allow /bin/sh References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public) Acked-by: Seth Arnold <[email protected]> for trunk and 2.9 ------------------------------------------------------------ revno: 3237 committer: Christian Boltz <[email protected]> branch nick: apparmor timestamp: Tue 2015-09-15 14:24:57 +0200 message: Allow ntpd to read directory listings of $PATH For some reasons, it needs to do that to find readable, writeable and executable files. See also https://bugzilla.opensuse.org/show_bug.cgi?id=945592 Acked-by: Seth Arnold <[email protected]> ------------------------------------------------------------ revno: 3236 committer: Christian Boltz <[email protected]> branch nick: apparmor timestamp: Wed 2015-09-09 00:00:23 +0200 message: Update the /sbin/dhclient profile Add some permissions that I need on my system: - execute nm-dhcp-helper - read and write /var/lib/dhcp6/dhclient.leases - read /var/lib/NetworkManager/dhclient-*.conf - read and write /var/lib/NetworkManager/dhclient-*.conf Looks-good-by: Steve Beattie <[email protected]> Acked-by: <timeout> for trunk and 2.9 ------------------------------------------------------------ revno: 3234 committer: Christian Boltz <[email protected]> branch nick: apparmor timestamp: Thu 2015-09-03 18:27:00 +0200 message: Dovecot imap needs to read /run/dovecot/mounts Acked-by: Steve Beattie <[email protected]> for trunk and 2.9. ------------------------------------------------------------ revno: 3225 committer: Christian Boltz <[email protected]> branch nick: apparmor timestamp: Sun 2015-08-23 15:20:20 +0200 message: add /usr/share/locale-bundle/ to abstractions/base /usr/share/locale-bundle/ contains translations packaged in bundle-lang-* packages in openSUSE. Acked-by: Steve Beattie <[email protected]> for trunk and 2.9 ------------------------------------------------------------ revno: 3213 committer: Christian Boltz <[email protected]> branch nick: apparmor timestamp: Thu 2015-07-30 22:03:02 +0200 message: winbindd profile: allow k for /etc/samba/smbd.tmp/msg/* References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 starting at comment 15 Acked-by: Steve Beattie <[email protected]> for trunk and 2.9 ------------------------------------------------------------ revno: 3212 committer: Christian Boltz <[email protected]> branch nick: apparmor timestamp: Tue 2015-07-28 01:15:31 +0200 message: skype profile: allow reading @{PROC}/@{pid}/net/dev References: https://bugzilla.opensuse.org/show_bug.cgi?id=939568 Acked-by: Seth Arnold <[email protected]> for trunk and 2.9 ------------------------------------------------------------ revno: 3211 committer: Jamie Strandboge <[email protected]> branch nick: apparmor timestamp: Fri 2015-07-24 15:03:30 -0500 message: profiles/apparmor.d/usr.sbin.avahi-daemon: allow write access to /run/systemd/notify which is needed on systems with systemd Signed-off-by: Jamie Strandboge <[email protected]> Acked-by: Seth Arnold <[email protected]> ------------------------------------------------------------ revno: 3210 committer: Jamie Strandboge <[email protected]> branch nick: apparmor timestamp: Fri 2015-07-24 15:01:46 -0500 message: profiles/apparmor.d/abstractions/X: also allow unix connections to @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird Signed-off-by: Jamie Strandboge <[email protected]> Acked-by: Seth Arnold <[email protected]> ------------------------------------------------------------ revno: 3209 committer: Jamie Strandboge <[email protected]> branch nick: apparmor timestamp: Fri 2015-07-24 13:56:27 -0500 message: profiles/apparmor.d/usr.sbin.dnsmasq: allow /bin/dash in addition to /bin/bash Signed-off-by: Jamie Strandboge <[email protected]> Acked-by: Christian Boltz <[email protected]> ------------------------------------------------------------ revno: 3207 [merge] committer: Jamie Strandboge <[email protected]> branch nick: apparmor timestamp: Mon 2015-07-20 10:16:18 -0500 message: [ intrigeri ] dconf abstraction: allow reading /etc/dconf/**. That's needed e.g. for Totem on current Debian Jessie. Acked-By: Jamie Strandboge <[email protected]> ------------------------------------------------------------ Use --include-merged or -n0 to see merged revisions. === modified file 'profiles/apparmor.d/abstractions/X' --- profiles/apparmor.d/abstractions/X 2015-03-25 21:58:31 +0000 +++ profiles/apparmor.d/abstractions/X 2015-07-24 20:01:46 +0000 @@ -27,4 +27,5 @@ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), /usr/include/X11/ r, /usr/include/X11/** r, === modified file 'profiles/apparmor.d/abstractions/base' --- profiles/apparmor.d/abstractions/base 2015-01-21 19:30:46 +0000 +++ profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000 @@ -26,6 +26,7 @@ /etc/locale/** r, /etc/locale.alias r, /etc/localtime r, + /usr/share/locale-bundle/** r, /usr/share/locale-langpack/** r, /usr/share/locale/** r, /usr/share/**/locale/** r, === modified file 'profiles/apparmor.d/abstractions/dconf' --- profiles/apparmor.d/abstractions/dconf 2013-10-09 13:18:09 +0000 +++ profiles/apparmor.d/abstractions/dconf 2015-07-19 13:42:54 +0000 @@ -3,5 +3,6 @@ # permissions for querying dconf settings; granting write access should # be specified in a specific application's profile. + /etc/dconf/** r, owner /{,var/}run/user/*/dconf/user r, owner @{HOME}/.config/dconf/user r, === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' --- profiles/apparmor.d/usr.lib.dovecot.imap 2014-12-22 16:41:59 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000 @@ -27,6 +27,7 @@ @{HOME} r, # ??? /usr/lib/dovecot/imap mr, /{,var/}run/dovecot/auth-master rw, + /{,var/}run/dovecot/mounts r, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.imap> === modified file 'profiles/apparmor.d/usr.sbin.avahi-daemon' --- profiles/apparmor.d/usr.sbin.avahi-daemon 2014-09-03 19:16:32 +0000 +++ profiles/apparmor.d/usr.sbin.avahi-daemon 2015-07-24 20:03:30 +0000 @@ -26,6 +26,7 @@ /{,var/}run/avahi-daemon/ w, /{,var/}run/avahi-daemon/pid krw, /{,var/}run/avahi-daemon/socket w, + /{,var/}run/systemd/notify w, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.avahi-daemon> === modified file 'profiles/apparmor.d/usr.sbin.dnsmasq' --- profiles/apparmor.d/usr.sbin.dnsmasq 2015-03-30 03:49:09 +0000 +++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-18 17:06:47 +0000 @@ -45,7 +45,7 @@ /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage - /bin/bash ix, # Required to execute --dhcp-script argument + /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument # access to iface mtu needed for Router Advertisement messages in IPv6 # Neighbor Discovery protocol (RFC 2461) === modified file 'profiles/apparmor.d/usr.sbin.ntpd' --- profiles/apparmor.d/usr.sbin.ntpd 2015-05-18 23:20:49 +0000 +++ profiles/apparmor.d/usr.sbin.ntpd 2015-09-15 12:24:57 +0000 @@ -37,6 +37,7 @@ /etc/ntpd.conf.tmp r, /tmp/ntp* rwl, + /{usr/,usr/local/,}{s,}bin/ r, /usr/sbin/ntpd rmix, /var/lib/ntp/drift rwl, /var/lib/ntp/drift.TEMP rwl, === modified file 'profiles/apparmor.d/usr.sbin.winbindd' --- profiles/apparmor.d/usr.sbin.winbindd 2015-05-18 23:25:26 +0000 +++ profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000 @@ -15,7 +15,7 @@ /etc/samba/secrets.tdb rwk, /etc/samba/smbd.tmp/ rw, /etc/samba/smbd.tmp/msg/ rw, - /etc/samba/smbd.tmp/msg/* rw, + /etc/samba/smbd.tmp/msg/* rwk, @{PROC}/sys/kernel/core_pattern r, /tmp/.winbindd/ w, /tmp/krb5cc_* rwk, === modified file 'profiles/apparmor/profiles/extras/sbin.dhclient' --- profiles/apparmor/profiles/extras/sbin.dhclient 2013-01-02 23:34:38 +0000 +++ profiles/apparmor/profiles/extras/sbin.dhclient 2015-09-08 22:00:23 +0000 @@ -1,6 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2015 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -25,6 +26,8 @@ #include <abstractions/bash> #include <abstractions/nameservice> + capability net_raw, + network packet packet, network packet raw, @@ -47,13 +50,17 @@ /usr/bin/uptime mrix, /usr/bin/vmstat mrix, /usr/bin/w mrix, + /usr/lib/nm-dhcp-helper rix, /var/lib/dhcp/dhclient.leases rw, /var/lib/dhcp/dhclient-*.leases rw, + /var/lib/dhcp6/dhclient.leases rw, + /var/lib/NetworkManager/dhclient-*.conf r, + /var/lib/NetworkManager/dhclient-*.lease rw, /var/log/lastlog r, /var/log/messages r, /var/log/wtmp r, - /{,var/}run/dhclient.pid rw, - /{,var/}run/dhclient-*.pid rw, + /{,var/}run/dhclient.pid rw, + /{,var/}run/dhclient-*.pid rw, /var/spool r, /var/spool/mail r, === modified file 'profiles/apparmor/profiles/extras/usr.bin.skype' --- profiles/apparmor/profiles/extras/usr.bin.skype 2013-01-02 23:34:38 +0000 +++ profiles/apparmor/profiles/extras/usr.bin.skype 2015-07-27 23:15:31 +0000 @@ -20,6 +20,7 @@ @{PROC}/sys/kernel/{ostype,osrelease} r, @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/auxv r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r,
