Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2026-05-14 21:42:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Thu May 14 21:42:24 2026 rev:233 rq:1353063 version:5.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2026-03-22 14:11:31.363756242 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new.1966/apparmor.changes 2026-05-14 21:43:08.271044974 +0200 @@ -1,0 +2,55 @@ +Wed May 13 15:38:08 UTC 2026 - Christian Boltz <[email protected]> + +- add syslog-ng-slashes.diff: avoid double slashes (and therefore a + path mismatch) in syslog-ng profile + +------------------------------------------------------------------- +Tue May 12 00:08:13 UTC 2026 - Matej Cepl <[email protected]> + +- Use %{_tmpfilesdir} macro and package apparmor.conf tmpfiles + configuration. + +------------------------------------------------------------------- +Mon May 4 19:03:10 UTC 2026 - Christian Boltz <[email protected]> + +- add allow-read-slash.diff and postfix-profiles-slash.diff to allow + reading / in samba, dovecot and postfix profiles (boo#1263051) + +------------------------------------------------------------------- +Sun Apr 26 15:06:07 UTC 2026 - Christian Boltz <[email protected]> + +- update to AppArmor 5.0 + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0 + for the full upstream changelog +- update lessopen.sh profile to abi/5.0 +- enable all tests in profiles/ + +------------------------------------------------------------------- +Sun Apr 26 05:22:47 UTC 2026 - David Disseldorp <[email protected]> + +- Add and use tmpfiles.d/apparmor.conf for log and cache path creation + (jsc#PED-14916) (jsc#PED-14917) + + drop removal of pre-2.12 cache location + + retain "apparmor_parser --purge-cache" calls for non-transactional + systems + +------------------------------------------------------------------- +Wed Apr 22 12:29:57 UTC 2026 - Christian Boltz <[email protected]> + +- update to AppArmor 5.0rc5 + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0-rc5 +- drop upstreamed parser-lib-path.diff + +------------------------------------------------------------------- +Fri Apr 17 19:11:58 UTC 2026 - Christian Boltz <[email protected]> + +- update to AppArmor 5.0rc4 + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_5.0.0-rc4 + for the full upstream changelog + - add BR libzstd-devel +- add parser-lib-path.diff to ensure parser finds libapparmor in make check +- refresh apache-extra-profile-include-if-exists.diff +- add 'make -C init' (apparmor.service and aa-teardown now live in + a separate directory) + +------------------------------------------------------------------- Old: ---- apparmor-v4.1.7.tar.gz apparmor-v4.1.7.tar.gz.asc New: ---- allow-read-slash.diff apparmor-v5.0.0.tar.bz2 apparmor-v5.0.0.tar.bz2.asc apparmor.tmpfiles.conf postfix-profiles-slash.diff syslog-ng-slashes.diff ----------(New B)---------- New: - add allow-read-slash.diff and postfix-profiles-slash.diff to allow reading / in samba, dovecot and postfix profiles (boo#1263051) New: - add allow-read-slash.diff and postfix-profiles-slash.diff to allow reading / in samba, dovecot and postfix profiles (boo#1263051) New: - add syslog-ng-slashes.diff: avoid double slashes (and therefore a path mismatch) in syslog-ng profile ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.SO9JfH/_old 2026-05-14 21:43:10.095119799 +0200 +++ /var/tmp/diff_new_pack.SO9JfH/_new 2026-05-14 21:43:10.099119963 +0200 @@ -2,7 +2,7 @@ # spec file for package apparmor # # Copyright (c) 2026 SUSE LLC and contributors -# Copyright (c) 2011-2024 Christian Boltz +# Copyright (c) 2011-2026 Christian Boltz # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -51,20 +51,21 @@ %define CATALINA_HOME /usr/share/tomcat6 %define JAR_FILE changeHatValve.jar -%define tarversion v4.1.7 -%define pyeggversion 4.1.7 +%define tarversion v5.0.0 +%define pyeggversion 5.0.0 Name: apparmor -Version: 4.1.7 +Version: 5.0.0 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later Group: Productivity/Networking/Security URL: https://gitlab.com/apparmor/apparmor/ -Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.gz +Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.bz2 # from https://gitlab.com/apparmor/apparmor/-/wikis/%%{version}_Signatures -Source1: apparmor-%{tarversion}.tar.gz.asc +Source1: apparmor-%{tarversion}.tar.bz2.asc Source2: %{name}.keyring +Source3: apparmor.tmpfiles.conf Source6: baselibs.conf Source7: apparmor-rpmlintrc @@ -85,6 +86,15 @@ # /usr/etc/krb5.conf - boo#1246689 - not submitted upstream yet since https://github.com/krb5/krb5/pull/1437/ is still open Patch11: kerberosclient-usrmerge.diff +# allow "/ r," which is needed since systemd 260 (boo#1263051) +# taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/2079 (merged into 4.0..master) +Patch12: allow-read-slash.diff +# taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/2087 (merged into 5.0 and master) +Patch13: postfix-profiles-slash.diff + +# avoid double slashes (and therefore a path mismatch) in syslog-ng profile (merged upstream 2026-05-05 https://gitlab.com/apparmor/apparmor/-/merge_requests/2090 for 5.0 and master, will be in 5.0.1) +Patch14: syslog-ng-slashes.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf @@ -96,6 +106,7 @@ BuildRequires: gcc-c++ BuildRequires: iproute2 BuildRequires: libtool +BuildRequires: libzstd-devel BuildRequires: pkg-config BuildRequires: python3 BuildRequires: swig @@ -354,6 +365,9 @@ %patch -P 7 %endif %patch -P 11 -p1 +%patch -P 12 -p1 +%patch -P 13 -p1 +%patch -P 14 -p1 %build export SUSE_ASNEEDED=0 @@ -412,6 +426,9 @@ parser/apparmor_parser --config-file $(pwd)/parser/parser.conf --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/ %endif +# aa-teardown and apparmor.service +make -C init + # create filelist of previously (up to 3.1.x) shipped local/* files # (adding them as %ghost prevents modified files from being moved to *.rpmsave) for oldlocal in \ @@ -433,9 +450,7 @@ # some tests depend on kernel LSM (e.g. access /proc/PID/attr/apparmor/current) if grep -q apparmor /sys/kernel/security/lsm; then - # profiles make check fails for the utils (they expect - # /sbin/apparmor_parser to exist), therefore only do parser-based check - make -C profiles check-parser + make -C profiles check %if %{with precompiled_cache} # test for a few files that should exist in the cache @@ -450,7 +465,12 @@ true fi +# aa-teardown and apparmor.service +make -C init check + %install +install -D -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/apparmor.conf + # libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec %makeinstall -C libraries/libapparmor/swig @@ -477,9 +497,7 @@ %makeinstall SBINDIR="%{buildroot}%{sbindir}" APPARMOR_BIN_PREFIX="%{buildroot}%{apparmor_bin_prefix}" -C parser # default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location -# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it -mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor -( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d ) +# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it via tmpfiles.d %if %{with apache} %makeinstall -C changehat/mod_apparmor @@ -494,6 +512,9 @@ %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME} %endif +# aa-teardown and apparmor.service +%makeinstall SBINDIR="%{buildroot}%{sbindir}" APPARMOR_BIN_PREFIX="%{buildroot}%{apparmor_bin_prefix}" -C init + find %{buildroot} -name .packlist -exec rm -vf {} \; find %{buildroot} -name perllocal.pod -exec rm -vf {} \; @@ -552,11 +573,12 @@ %{_sbindir}/exec %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d -%{_sysconfdir}/apparmor.d/cache.d +%ghost %{_sysconfdir}/apparmor.d/cache.d %{sbindir}/rcapparmor %{_unitdir}/apparmor.service +%{_tmpfilesdir}/apparmor.conf %config(noreplace) %{_sysconfdir}/apparmor/parser.conf -%{_localstatedir}/cache/apparmor +%ghost %{_localstatedir}/cache/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %{apparmor_bin_prefix}/apparmor.systemd @@ -588,6 +610,8 @@ %config(noreplace) %{_sysconfdir}/apparmor.d/abi/3.0 %config(noreplace) %{_sysconfdir}/apparmor.d/abi/4.0 %config(noreplace) %{_sysconfdir}/apparmor.d/abi/4.0-ip +%config(noreplace) %{_sysconfdir}/apparmor.d/abi/5.0 +%config(noreplace) %{_sysconfdir}/apparmor.d/abi/5.0-interface %config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-outoftree-network %config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-vanilla %dir %{_sysconfdir}/apparmor.d/abstractions @@ -605,9 +629,61 @@ %config(noreplace) %{_sysconfdir}/apparmor.d/usr.* %config(noreplace) %{_sysconfdir}/apparmor.d/1password +%config(noreplace) %{_sysconfdir}/apparmor.d/alsamixer +%config(noreplace) %{_sysconfdir}/apparmor.d/babeld +%config(noreplace) %{_sysconfdir}/apparmor.d/bfdd +%config(noreplace) %{_sysconfdir}/apparmor.d/bgpd +%config(noreplace) %{_sysconfdir}/apparmor.d/curl +%config(noreplace) %{_sysconfdir}/apparmor.d/dig %config(noreplace) %{_sysconfdir}/apparmor.d/Discord +%config(noreplace) %{_sysconfdir}/apparmor.d/dnstracer +%config(noreplace) %{_sysconfdir}/apparmor.d/eigrpd +%config(noreplace) %{_sysconfdir}/apparmor.d/fabricd +%config(noreplace) %{_sysconfdir}/apparmor.d/free +%config(noreplace) %{_sysconfdir}/apparmor.d/fusermount3 +%config(noreplace) %{_sysconfdir}/apparmor.d/gs +%config(noreplace) %{_sysconfdir}/apparmor.d/hostname +%config(noreplace) %{_sysconfdir}/apparmor.d/iotop-c +%config(noreplace) %{_sysconfdir}/apparmor.d/isisd +%config(noreplace) %{_sysconfdir}/apparmor.d/john +%config(noreplace) %{_sysconfdir}/apparmor.d/ldpd +%config(noreplace) %{_sysconfdir}/apparmor.d/locale +%config(noreplace) %{_sysconfdir}/apparmor.d/lsblk +%config(noreplace) %{_sysconfdir}/apparmor.d/lsof +%config(noreplace) %{_sysconfdir}/apparmor.d/lsusb +%config(noreplace) %{_sysconfdir}/apparmor.d/mbsync %config(noreplace) %{_sysconfdir}/apparmor.d/MongoDB_Compass +%config(noreplace) %{_sysconfdir}/apparmor.d/mosquitto +%config(noreplace) %{_sysconfdir}/apparmor.d/nc.openbsd +%config(noreplace) %{_sysconfdir}/apparmor.d/nhrpd +%config(noreplace) %{_sysconfdir}/apparmor.d/notify-send +%config(noreplace) %{_sysconfdir}/apparmor.d/nslookup +%config(noreplace) %{_sysconfdir}/apparmor.d/ospf6d +%config(noreplace) %{_sysconfdir}/apparmor.d/ospfd +%config(noreplace) %{_sysconfdir}/apparmor.d/pathd +%config(noreplace) %{_sysconfdir}/apparmor.d/pbrd +%config(noreplace) %{_sysconfdir}/apparmor.d/pim6d +%config(noreplace) %{_sysconfdir}/apparmor.d/pimd +%config(noreplace) %{_sysconfdir}/apparmor.d/proftpd +%config(noreplace) %{_sysconfdir}/apparmor.d/qpdf %config(noreplace) %{_sysconfdir}/apparmor.d/QtWebEngineProcess +%config(noreplace) %{_sysconfdir}/apparmor.d/ripd +%config(noreplace) %{_sysconfdir}/apparmor.d/ripngd +%config(noreplace) %{_sysconfdir}/apparmor.d/rygel +%config(noreplace) %{_sysconfdir}/apparmor.d/ssh-keyscan +%config(noreplace) %{_sysconfdir}/apparmor.d/staticd +%config(noreplace) %{_sysconfdir}/apparmor.d/systemd-detect-virt +%config(noreplace) %{_sysconfdir}/apparmor.d/tar +%config(noreplace) %{_sysconfdir}/apparmor.d/tinyproxy +%config(noreplace) %{_sysconfdir}/apparmor.d/tnftp +%config(noreplace) %{_sysconfdir}/apparmor.d/tshark +%config(noreplace) %{_sysconfdir}/apparmor.d/vrrpd +%config(noreplace) %{_sysconfdir}/apparmor.d/wg +%config(noreplace) %{_sysconfdir}/apparmor.d/wg-quick +%config(noreplace) %{_sysconfdir}/apparmor.d/who +%config(noreplace) %{_sysconfdir}/apparmor.d/wpa_supplicant +%config(noreplace) %{_sysconfdir}/apparmor.d/znc + %config(noreplace) %{_sysconfdir}/apparmor.d/balena-etcher %config(noreplace) %{_sysconfdir}/apparmor.d/brave %config(noreplace) %{_sysconfdir}/apparmor.d/buildah @@ -695,7 +771,6 @@ %config(noreplace) %{_sysconfdir}/apparmor.d/surfshark %config(noreplace) %{_sysconfdir}/apparmor.d/systemd-coredump %config(noreplace) %{_sysconfdir}/apparmor.d/thunderbird -%config(noreplace) %{_sysconfdir}/apparmor.d/toybox %config(noreplace) %{_sysconfdir}/apparmor.d/transmission %config(noreplace) %{_sysconfdir}/apparmor.d/trinity %config(noreplace) %{_sysconfdir}/apparmor.d/tup @@ -741,6 +816,7 @@ %{_sbindir}/aa-mergeprof %{_sbindir}/aa-notify %{_sbindir}/aa-remove-unknown +%{_sbindir}/aa-show-usage %{_sbindir}/aa-unconfined %{_sbindir}/audit %{_sbindir}/autodep @@ -758,7 +834,8 @@ %dir %{_datadir}/polkit-1 %dir %{_datadir}/polkit-1/actions %{_datadir}/polkit-1/actions/net.apparmor.pkexec.aa-notify.policy -%dir %{_localstatedir}/log/apparmor +# created via tmpfiles.d conf shipped with apparmor-parser +%ghost %{_localstatedir}/log/apparmor %doc %{_mandir}/man5/logprof.conf.5.gz %doc %{_mandir}/man8/apparmor_notify.8.gz %doc %{_mandir}/man8/aa-audit.8.gz @@ -774,6 +851,7 @@ %doc %{_mandir}/man8/aa-mergeprof.8.gz %doc %{_mandir}/man8/aa-notify.8.gz %doc %{_mandir}/man8/aa-remove-unknown.8.gz +%doc %{_mandir}/man8/aa-show-usage.8.gz %doc %{_mandir}/man8/aa-unconfined.8.gz %doc %{_mandir}/man8/audit.8.gz %doc %{_mandir}/man8/autodep.8.gz @@ -841,10 +919,12 @@ %endif %post parser +%tmpfiles_create apparmor.conf %service_add_post apparmor.service %preun parser %service_del_preun apparmor.service +systemd-tmpfiles --remove /usr/lib/tmpfiles.d/apparmor.conf || : %postun parser # bnc#853019 aka boo#853019 is still a thing, but in the meantime apparmor.service has ExecStop=/bin/true (= do nothing), @@ -852,14 +932,13 @@ %service_del_postun apparmor.service %posttrans abstractions -# workaround for bnc#904620#c8 / lp#1392042 and bnc#1242553 -apparmor_parser --purge-cache +# workaround for bnc#904620#c8 / lp#1392042 and bnc#1242553. +# Transactional update needs to defer cache purge until after /var is mounted +# read-write. We're currently lacking a tmpfiles_remove macro for this. +[ -z "$TRANSACTIONAL_UPDATE" ] && apparmor_parser --purge-cache %restart_on_update apparmor %post profiles -# delete old cache (location up to 2.12) -rm -f /var/lib/apparmor/cache/* 2>/dev/null - # cleanup old, unchanged local/* files for oldlocal in \ bin.ping lsb_release nvidia_modprobe php-fpm samba-bgqd samba-dcerpcd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss sbin.klogd sbin.syslogd sbin.syslog-ng \ @@ -877,7 +956,7 @@ %posttrans profiles # workaround for bnc#904620#c8 / lp#1392042 and bnc#1242553 -apparmor_parser --purge-cache +[ -z "$TRANSACTIONAL_UPDATE" ] && apparmor_parser --purge-cache %restart_on_update apparmor %if %{with tomcat} ++++++ libapparmor.spec ++++++ --- /var/tmp/diff_new_pack.SO9JfH/_old 2026-05-14 21:43:10.143121768 +0200 +++ /var/tmp/diff_new_pack.SO9JfH/_new 2026-05-14 21:43:10.147121932 +0200 @@ -2,7 +2,7 @@ # spec file for package libapparmor # # Copyright (c) 2026 SUSE LLC and contributors -# Copyright (c) 2011-2024 Christian Boltz +# Copyright (c) 2011-2026 Christian Boltz # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,18 +17,18 @@ # -%define tarversion v4.1.7 +%define tarversion v5.0.0 Name: libapparmor -Version: 4.1.7 +Version: 5.0.0 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ URL: https://gitlab.com/apparmor/apparmor/ -Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.gz +Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.bz2 # from https://gitlab.com/apparmor/apparmor/-/wikis/%{version}_Signatures -Source1: apparmor-%{tarversion}.tar.gz.asc +Source1: apparmor-%{tarversion}.tar.bz2.asc Source2: apparmor.keyring BuildRequires: autoconf BuildRequires: autoconf-archive ++++++ allow-read-slash.diff ++++++ >From https://gitlab.com/apparmor/apparmor/-/merge_requests/2079 >From 32da667806e38b9cddf07f6f2793eba5b74bad6d Mon Sep 17 00:00:00 2001 From: Christian Boltz <[email protected]> Date: Tue, 28 Apr 2026 19:59:16 +0200 Subject: [PATCH] Allow smbd and dovecot to read / Denials get reported with the update to systemd 260. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1263051 --- profiles/apparmor.d/usr.sbin.dovecot | 1 + profiles/apparmor.d/usr.sbin.smbd | 1 + 2 files changed, 2 insertions(+) diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot index d1bbbdb56..12f441a90 100644 --- a/profiles/apparmor.d/usr.sbin.dovecot +++ b/profiles/apparmor.d/usr.sbin.dovecot @@ -39,6 +39,7 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) { unix (receive, send) type=stream peer=(label=/usr/lib*/dovecot/anvil), unix (receive, send) type=stream peer=(label=dovecot-anvil), + / r, /etc/dovecot/** r, /etc/mtab r, /etc/lsb-release r, diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd index b54b4f551..b62b38202 100644 --- a/profiles/apparmor.d/usr.sbin.smbd +++ b/profiles/apparmor.d/usr.sbin.smbd @@ -27,6 +27,7 @@ profile smbd /usr/{bin,sbin}/smbd { signal send set=term peer=samba-bgqd, + / r, /etc/mtab r, /etc/netgroup r, /etc/printcap r, -- GitLab ++++++ apache-extra-profile-include-if-exists.diff ++++++ --- /var/tmp/diff_new_pack.SO9JfH/_old 2026-05-14 21:43:10.203124229 +0200 +++ /var/tmp/diff_new_pack.SO9JfH/_new 2026-05-14 21:43:10.207124393 +0200 @@ -12,7 +12,7 @@ =================================================================== --- profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100 +++ profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100 -@@ -75,7 +75,7 @@ include <tunables/global> +@@ -76,7 +76,7 @@ include <tunables/global> # This directory contains web application # package-specific apparmor files. ++++++ apparmor-lessopen-profile.patch ++++++ --- /var/tmp/diff_new_pack.SO9JfH/_old 2026-05-14 21:43:10.235125542 +0200 +++ /var/tmp/diff_new_pack.SO9JfH/_new 2026-05-14 21:43:10.239125706 +0200 @@ -5,7 +5,7 @@ @@ -0,0 +1,52 @@ +# vim: ft=apparmor + -+abi <abi/4.0>, ++abi <abi/5.0>, + +#include <tunables/global> + ++++++ apparmor-v4.1.7.tar.gz -> apparmor-v5.0.0.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/apparmor/apparmor-v4.1.7.tar.gz /work/SRC/openSUSE:Factory/.apparmor.new.1966/apparmor-v5.0.0.tar.bz2 differ: char 1, line 1 ++++++ apparmor.tmpfiles.conf ++++++ # delete cache recursively when --boot is provided # workaround for bnc#904620#c8 / lp#1392042 # "apparmor_parser --purge-cache" used for now, until a tmpfiles_remove rpm # spec macro is available. #R! /var/cache/apparmor/* # for apparmor-utils d /var/log/apparmor 0755 root root # for apparmor-parser d /var/cache/apparmor 0700 root root L /etc/apparmor.d/cache.d - - - - /var/cache/apparmor ++++++ postfix-profiles-slash.diff ++++++ >From https://gitlab.com/apparmor/apparmor/-/merge_requests/2087 >From fb7fbc23e10ce2040837c37eb4444a2d97f0b175 Mon Sep 17 00:00:00 2001 From: Christian Boltz <[email protected]> Date: Sat, 2 May 2026 20:20:46 +0200 Subject: [PATCH 1/2] abstractions/postfix-common: allow / r, This is needed at least by - postfix-lmtp - postfix-master - postfix-qmgr - postfix-pickup - @{sbin}/postqueue - postfix-tlsmgr - postfix-smtpd - postfix-proxymap - postfix-trivial-rewrite - postfix-cleanup - postalias probably since the update to systemd 260 --- profiles/apparmor.d/abstractions/postfix-common | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/profiles/apparmor.d/abstractions/postfix-common b/profiles/apparmor.d/abstractions/postfix-common index d1498c9a8..b3fe784f0 100644 --- a/profiles/apparmor.d/abstractions/postfix-common +++ b/profiles/apparmor.d/abstractions/postfix-common @@ -2,7 +2,7 @@ # # Copyright (C) 2002-2005 Novell/SUSE # Copyright (C) 2015-2018 Canonical, Ltd. -# Copyright (C) 2020-2021 Christian Boltz +# Copyright (C) 2020-2026 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -23,6 +23,7 @@ unix (send, receive) peer=(label=postfix-master), + / r, /etc/mailname r, /etc/postfix/*.cf r, /etc/postfix/*.db rk, -- GitLab >From 3171a3e2cdc529af0f5e5001ee4ea38679a24d6e Mon Sep 17 00:00:00 2001 From: Christian Boltz <[email protected]> Date: Sat, 2 May 2026 20:24:34 +0200 Subject: [PATCH 2/2] postalias: modernize profile + allow disconnected /dev/null Modernize the postalias profile by adding a profile name. Also add attach_disconnected.path and allow access to disconnected /dev/null. --- profiles/apparmor/profiles/extras/usr.sbin.postalias | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postalias b/profiles/apparmor/profiles/extras/usr.sbin.postalias index 702625e8b..1aa51d97f 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postalias +++ b/profiles/apparmor/profiles/extras/usr.sbin.postalias @@ -1,7 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE -# Copyright (C) 2021 Christian Boltz +# Copyright (C) 2021-2026 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -13,12 +13,15 @@ abi <abi/5.0>, include <tunables/global> -/usr/sbin/postalias { +profile postalias /usr/sbin/postalias flags=(attach_disconnected.path=/att/postalias/) { include <abstractions/base> include <abstractions/kerberosclient> include <abstractions/nameservice> include <abstractions/consoles> include <abstractions/postfix-common> + + /att/postalias/dev/null r, + /etc/aliases r, /etc/aliases.{lm,}db rwlk, /etc/postfix r, @@ -38,4 +41,5 @@ include <tunables/global> # Site-specific additions and overrides. See local/README for details. include if exists <local/usr.sbin.postalias> + include if exists <local/postalias> } -- GitLab ++++++ syslog-ng-slashes.diff ++++++ >From https://gitlab.com/apparmor/apparmor/-/merge_requests/2090 >From 657ec6792e54bdb1cd06e70cbed24850c3e37ee1 Mon Sep 17 00:00:00 2001 From: Christian Boltz <[email protected]> Date: Tue, 5 May 2026 14:00:03 +0200 Subject: [PATCH] syslog-ng: avoid double slash in @{CHROOT_BASE}@{run} With empty @{CHROOT_BASE}, we end up with `//run/...` - and since AppArmor 5.0, de-duplication of leading slashes no longer happens. Remove the slash between the two variables to avoid that the result starts with `//`. This is a workaround for https://gitlab.com/apparmor/apparmor/-/work_items/622 --- profiles/apparmor.d/sbin.syslog-ng | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/sbin.syslog-ng b/profiles/apparmor.d/sbin.syslog-ng index 36451cbff..76620384b 100644 --- a/profiles/apparmor.d/sbin.syslog-ng +++ b/profiles/apparmor.d/sbin.syslog-ng @@ -55,8 +55,8 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng { @{CHROOT_BASE}/var/lib/*/dev/log w, @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw, @{CHROOT_BASE}/var/log/** w, - @{CHROOT_BASE}/@{run}/syslog-ng.pid krw, - @{CHROOT_BASE}/@{run}/syslog-ng.ctl rw, + @{CHROOT_BASE}@{run}/syslog-ng.pid krw, + @{CHROOT_BASE}@{run}/syslog-ng.ctl rw, /{var,var/run,run}/log/journal/ r, /{var,var/run,run}/log/journal/*/ r, /{var,var/run,run}/log/journal/*/*.journal r, -- GitLab
