Bug#488409: patch for compatibility with apparmor

[Steve Langasek]

Package: openldap2.3
Version: 2.4.9-1
Severity: wishlist
Tags: patch
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu ubuntu-patch intrepid

The attached patch has been applied to the Ubuntu openldap2.3 source
package, for compatibility with apparmor.  Without this patch, applying an
apparmor policy to slapd causes all of slap* to break, because these are
installed as symlinks and as a result the same apparmor policy is applied to
them when it shouldn't be - preventing, e.g., using slapadd/slapcat to
read/write to an ldif in a user's home directory.

The following explanation is provided in the changelog:

  - debian/rules, debian/slapd.links: use hard links to slapd instead of
    symlinks for slap* so these applications aren't confined by apparmor
    (LP: #203898)

Should we incorporate this patch into the Debian package?  FWIW, the Ubuntu
openldap2.3 package has been patched somewhat extensively for apparmor
support, but given that Debian doesn't support apparmor I don't see the
point in bloating the package with a bunch of apparmor code; whereas I can't
see anything that would be a problem with switching the symlinks to hard
links, since we're maintaining a static list of them either way.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
[EMAIL PROTECTED]                                     [EMAIL PROTECTED]

diff -u openldap2.3-2.4.9/debian/slapd.links 
openldap2.3-2.4.9/debian/slapd.links
--- openldap2.3-2.4.9/debian/slapd.links
+++ openldap2.3-2.4.9/debian/slapd.links
@@ -3,8 +2,0 @@
-usr/sbin/slapd usr/sbin/slapacl
-usr/sbin/slapd usr/sbin/slapadd
-usr/sbin/slapd usr/sbin/slapauth
-usr/sbin/slapd usr/sbin/slapcat
-usr/sbin/slapd usr/sbin/slapdn
-usr/sbin/slapd usr/sbin/slapindex
-usr/sbin/slapd usr/sbin/slappasswd
-usr/sbin/slapd usr/sbin/slaptest
diff -u openldap2.3-2.4.9/debian/rules openldap2.3-2.4.9/debian/rules
--- openldap2.3-2.4.9/debian/rules
+++ openldap2.3-2.4.9/debian/rules
@@ -33,6 +33,7 @@
 installdir     := $(CURDIR)/debian/install
 tmpdir         := $(CURDIR)/debian/tmp
 builddir       := $(CURDIR)/debian/build
+slapddir       := $(CURDIR)/debian/slapd/usr/sbin
 
 MAKEVARS       := DESTDIR=$(installdir) STRIP=
 
@@ -149,6 +153,12 @@
        dh_strip -pslapd --dbg-package=slapd-dbg
        dh_strip -pldap-utils
        dh_link -a
+
+       # hardlink these so not confined by apparmor
+       for f in slapacl slapadd slapauth slapcat slapdn slapindex slappasswd 
slaptest ; do \
+           ln -f $(slapddir)/slapd $(slapddir)/$$f ; \
+       done ;
+
        dh_compress -a
        dh_fixperms -a
        # ideally we would do this and not have any libldap-2.4.so.2 links