Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2017-01-27 10:39:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2016-10-31 09:52:34.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2017-02-03 17:31:34.092783177 +0100 @@ -1,0 +2,25 @@ +Tue Jan 24 13:40:30 UTC 2017 - [email protected] + +- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/. + This is part of the root partition (at least with default partitioning) + and should be available earlier than /var/cache/apparmor/ + (boo#1015249, boo#980081, bsc#1016259) +- add dependency on var-lib.mount to apparmor.service as safety net + +------------------------------------------------------------------- +Tue Jan 10 22:15:56 UTC 2017 - [email protected] + +- update to AppArmor 2.10.2 maintenance release + - lots of bugfixes and profile updates (including boo#1000201, + boo#1009964, boo#1014463) + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_2 for details +- add aa-unconfined-fix-netstat-call-2.10r3380.diff to fix a regression + in aa-unconfined +- drop upstream(ed) patches: + - changes-since-2.10.1--r3326..3346.diff + - changes-since-2.10.1--r3347..3353.diff + - libapparmor-fix-import-path.diff (upstream fix is slightly different) + - nscd-var-lib.diff +- refresh apparmor-abstractions-no-multiline.diff + +------------------------------------------------------------------- Old: ---- apparmor-2.10.1.tar.gz apparmor-2.10.1.tar.gz.asc changes-since-2.10.1--r3326..3346.diff changes-since-2.10.1--r3347..3353.diff libapparmor-fix-import-path.diff nscd-var-lib.diff New: ---- aa-unconfined-fix-netstat-call-2.10r3380.diff apparmor-2.10.2.tar.gz apparmor-2.10.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.HH4GVH/_old 2017-02-03 17:31:34.828679022 +0100 +++ /var/tmp/diff_new_pack.HH4GVH/_new 2017-02-03 17:31:34.828679022 +0100 @@ -1,8 +1,8 @@ # # spec file for package apparmor # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -# Copyright (c) 2011-2016 Christian Boltz +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2011-2017 Christian Boltz # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -60,7 +60,7 @@ %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.10.1 +Version: 2.10.2 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ @@ -82,8 +82,8 @@ # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch3: apparmor-utils-string-split -# upstream changes/fixes from 2.10 branch r3326..3346 -Patch4: changes-since-2.10.1--r3326..3346.diff +# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380) +Patch4: aa-unconfined-fix-netstat-call-2.10r3380.diff # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, [email protected] Patch5: ruby-2_0-mkmf-destdir.patch @@ -95,15 +95,6 @@ # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -# fix import path for LibAppArmor for newer swig versions (boo#987607, not upstreamed yet) -Patch8: libapparmor-fix-import-path.diff - -# upstream changes/fixes from 2.10 branch r3347..3353 -Patch9: changes-since-2.10.1--r3347..3353.diff - -# update nscd profile and abstractions/nameservice to allow /var/lib/nscd/ paths (submitted upstream 2016-10-23) -Patch10: nscd-var-lib.diff - Url: https://launchpad.net/apparmor PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -453,9 +444,6 @@ %patch6 %patch7 -p1 -%patch8 -%patch9 -%patch10 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" @@ -572,9 +560,9 @@ %makeinstall -C parser # default cache dir is /etc/apparmor.d/cache - not the best location. -# Use /var/cache/apparmor and make /etc/apparmor.d/cache a symlink to it -mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor -( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache ) +# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it +mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache +( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache ) %if %{with apache} %makeinstall -C changehat/mod_apparmor @@ -645,7 +633,6 @@ %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d %{_sysconfdir}/apparmor.d/cache -%dir %{_localstatedir}/cache/apparmor %if %{distro} == "suse" /sbin/rcsubdomain /sbin/rcapparmor ++++++ aa-unconfined-fix-netstat-call-2.10r3380.diff ++++++ ------------------------------------------------------------ revno: 3380 committer: Steve Beattie <[email protected]> branch nick: 2.10 timestamp: Mon 2017-01-09 09:22:58 -0800 message: Subject: utils/aa-unconfined: fix netstat invocation regression It was reported that converting the netstat command to examine processes bound to ipv6 addresses broke on OpenSUSE due to the version of nettools not supporting the short -4 -6 arguments. This patch fixes the invocation of netstat to use the "--protocol inet,inet6" arguments instead, which should return the same results as the short options. Signed-off-by: Steve Beattie <[email protected]> Acked-by: Christian Boltz <[email protected]> === modified file 'utils/aa-unconfined' --- utils/aa-unconfined 2016-12-05 09:21:27 +0000 +++ utils/aa-unconfined 2017-01-09 17:22:58 +0000 @@ -46,10 +46,10 @@ regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)") import subprocess if sys.version_info < (3, 0): - output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n") + output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n") else: #Python3 needs to translate a stream of bytes to string with specified encoding - output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n") + output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n") for line in output: match = regex_tcp_udp.search(line) vim:ft=diff ++++++ apparmor-2.10.1.tar.gz -> apparmor-2.10.2.tar.gz ++++++ ++++ 2759 lines of diff (skipped) ++++++ apparmor-abstractions-no-multiline.diff ++++++ --- /var/tmp/diff_new_pack.HH4GVH/_old 2017-02-03 17:31:35.660561281 +0100 +++ /var/tmp/diff_new_pack.HH4GVH/_new 2017-02-03 17:31:35.660561281 +0100 @@ -3,10 +3,10 @@ =================================================================== --- profiles/apparmor.d/abstractions/X.orig 2016-04-22 22:35:12.416535187 +0200 +++ profiles/apparmor.d/abstractions/X 2016-04-22 22:35:46.556500929 +0200 -@@ -24,12 +24,8 @@ +@@ -25,12 +25,8 @@ # the unix socket to use to connect to the display - /tmp/.X11-unix/* w, + /tmp/.X11-unix/* rw, - unix (connect, receive, send) - type=stream - peer=(addr="@/tmp/.X11-unix/X[0-9]*"), @@ -122,7 +122,7 @@ # Allow connecting to system bus and where to connect to services. Put these # here so we don't need to repeat these rules in multiple places (actual -@@ -58,108 +33,47 @@ +@@ -58,108 +36,47 @@ # allow apps to brute-force enumerate system services, but our system # services aren't a secret. /{,var/}run/dbus/system_bus_socket rw, @@ -282,7 +282,7 @@ =================================================================== --- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200 +++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200 -@@ -88,6 +88,4 @@ +@@ -91,6 +91,4 @@ # Allow connecting to the GNOME vfs socket (still need corresponding DBus # rules) ++++++ apparmor.service ++++++ --- /var/tmp/diff_new_pack.HH4GVH/_old 2017-02-03 17:31:35.712553922 +0100 +++ /var/tmp/diff_new_pack.HH4GVH/_new 2017-02-03 17:31:35.712553922 +0100 @@ -3,6 +3,7 @@ DefaultDependencies=no Before=sysinit.target After=systemd-journald-audit.socket +After=var-lib.mount ConditionSecurity=apparmor [Service] @@ -13,4 +14,4 @@ RemainAfterExit=yes [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target
