Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2017-10-10 11:33:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Tue Oct 10 11:33:56 2017 rev:105 rq:531184 version:2.11.0 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2017-09-25 13:57:27.959299913 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2017-10-10 11:34:00.859099447 +0200 @@ -1,0 +2,6 @@ +Tue Oct 3 16:28:52 UTC 2017 - [email protected] + +- profiles-sockets-temporary-fix.patch to cater to nameservices with the + new sockets mediation, until unix rules are upstreamed (boo#1061195) + +------------------------------------------------------------------- New: ---- profiles-sockets-temporary-fix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.trMIDR/_old 2017-10-10 11:34:02.143043097 +0200 +++ /var/tmp/diff_new_pack.trMIDR/_new 2017-10-10 11:34:02.147042922 +0200 @@ -88,6 +88,10 @@ # https://marc.info/?l=apparmor-dev&m=150151113011870&q=p7 Patch14: apparmor-fix-podsyntax.patch +# temporary solution for unix dgram and unix stream - boo#1061195 (sent for upstream review, but will probably stay openSUSE only) +# TODO: replace with proper unix rules when Kernel 4.15 arrives +Patch15: profiles-sockets-temporary-fix.patch + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix /lib/apparmor @@ -395,6 +399,7 @@ %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" ++++++ profiles-sockets-temporary-fix.patch ++++++ Subject: [PATCH] Temporarily fix socket mediation in nameservice References: bsc#1061195 As per the conversation on IRC: cboltz: ah yes, the upstreamed version fixes a couple holes in the old patch suse carried One of these "holes" were unix events, which explains the denials you noticed (and that I also see now after installing 4.14rc2). The final solution will be to add some "unix" rules - but that's hard at the moment because 4.14 doesn't log all details needed for unix rules. Instead, I'll add a temporary patch for abstractions/nameservice that adds network unix dgram, network unix stream, (including a TODO note to replace it as soon as support for unix rules was upstreamed, probably 4.15). These rules are broader than needed, but should avoid user-visible breakage - and at least with 4.14, unix rules would get downgraded to network unix anyway ;-) --- profiles/apparmor.d/abstractions/nameservice | 6 ++++++ 1 file changed, 6 insertions(+) --- a/profiles/apparmor.d/abstractions/nameservice +++ b/profiles/apparmor.d/abstractions/nameservice @@ -92,5 +92,11 @@ # Netlink raw needed for nscd network netlink raw, + # This is a temporary fix for nameservices with the new socket + # mediations in 4.14-rc2 + # TODO: To be replaced once unix rules are upstreamed + network unix dgram, + network unix stream, + # interface details @{PROC}/@{pid}/net/route r,
