Hello community, here is the log from the commit of package apparmor for openSUSE:Leap:15.2 checked in at 2020-06-04 16:00:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/apparmor (Old) and /work/SRC/openSUSE:Leap:15.2/.apparmor.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Thu Jun 4 16:00:58 2020 rev:58 rq:810288 version:2.13.4 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/apparmor/apparmor.changes 2020-04-20 12:55:18.908712145 +0200 +++ /work/SRC/openSUSE:Leap:15.2/.apparmor.new.3606/apparmor.changes 2020-06-04 16:01:00.702905862 +0200 @@ -7,0 +8,32 @@ +Sat Mar 28 21:46:48 UTC 2020 - Christian Boltz <[email protected]> + +- fix build with make 4.3 by backporting some commits from upstream + master (boo#1167953): + - make-4.3-capabilities.diff + - make-4.3-capabilities-vim.diff + - make-4.3-network.diff + - make-4.3-fix-utils-network-test.diff + +------------------------------------------------------------------- +Thu Mar 12 19:55:06 UTC 2020 - Christian Boltz <[email protected]> + +- update to AppArmor 2.13.4 + - several abstraction updates (including boo#1153162) + - disallow writing to fontconfig cache in abstractions/fonts + - some bugfixes in the aa-* tools + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4 + for the detailed upstream changelog +- drop upstreamed patches: + - abstractions-ssl-certbot-paths.diff + - apparmor-krb5-conf-d.diff + - libapparmor-python3.8.diff + - usr-etc-abstractions-authentification.diff +- refresh usr-etc-abstractions-base-nameservice.diff + +------------------------------------------------------------------- +Sat Jan 25 18:51:17 UTC 2020 - Christian Boltz <[email protected]> + +- add usr-etc-abstractions-base-nameservice.diff to adjust + abstractions/base and nameservice for /usr/etc/ (boo#1161756) + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Leap:15.2/apparmor/libapparmor.changes 2020-01-15 14:47:12.613287755 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.apparmor.new.3606/libapparmor.changes 2020-06-04 16:01:00.746906013 +0200 @@ -1,0 +2,8 @@ +Thu Mar 12 19:30:19 UTC 2020 - Christian Boltz <[email protected]> + +- update to AppArmor 2.13.4 + - fix log parsing for logs with an embedded newline + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4 + for the detailed upstream changelog + +------------------------------------------------------------------- Old: ---- abstractions-ssl-certbot-paths.diff apparmor-2.13.3.tar.gz apparmor-2.13.3.tar.gz.asc apparmor-krb5-conf-d.diff libapparmor-python3.8.diff usr-etc-abstractions-authentification.diff New: ---- apparmor-2.13.4.tar.gz apparmor-2.13.4.tar.gz.asc make-4.3-capabilities-vim.diff make-4.3-capabilities.diff make-4.3-fix-utils-network-test.diff make-4.3-network.diff usr-etc-abstractions-base-nameservice.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.2ci9Ga/_old 2020-06-04 16:01:01.402908270 +0200 +++ /var/tmp/diff_new_pack.2ci9Ga/_new 2020-06-04 16:01:01.406908284 +0200 @@ -1,7 +1,7 @@ # # spec file for package apparmor # -# Copyright (c) 2019 SUSE LLC. +# Copyright (c) 2020 SUSE LLC # Copyright (c) 2011-2019 Christian Boltz # # All modifications and additions to the file contributed by third parties @@ -35,7 +35,7 @@ %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) Name: apparmor -Version: 2.13.3 +Version: 2.13.4 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later @@ -65,20 +65,23 @@ # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix) Patch5: apparmor-lessopen-nfs-workaround.diff -# allow /etc/krb5.conf.d/ for kerberos client (submitted upstream 2019-09-28 https://gitlab.com/apparmor/apparmor/merge_requests/425) -Patch6: apparmor-krb5-conf-d.diff +# update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447, only merged to master, not 2.13.x) +Patch10: ./usr-etc-abstractions-base-nameservice.diff -# add certbot paths to abstractions/ssl_keys and abstractions/ssl_certs (from upstream https://gitlab.com/apparmor/apparmor/merge_requests/398, merged 2019-06-30) -Patch7: abstractions-ssl-certbot-paths.diff +# fix build with make 4.3 - network rules (taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/307, not in 2.13.x, boo#1167953) +Patch11: make-4.3-network.diff -# allow reading /usr/etc/pam.d/* and some other authentification-related files (submitted upstream 2019-10-07 https://gitlab.com/apparmor/apparmor/merge_requests/426) -Patch8: usr-etc-abstractions-authentification.diff +# fix build with make 4.3 - fix utils network tests (taken from upstream 9144e39d2, not in 2.13.x, boo#1167953) +Patch12: make-4.3-fix-utils-network-test.diff -# fix building libapparmor python bindings with python 3.8. Based on https://gitlab.com/apparmor/apparmor/merge_requests/430 but patching configure directly to avoid needing BuildRequires: aclocal -Patch9: libapparmor-python3.8.diff +# fix build with make 4.3 - capability rules (taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/461, not in 2.13.x, boo#1167953) +Patch13: make-4.3-capabilities.diff + +# fix build with make 4.3 - fix apparmor.vim capability rules (submitted upstream 2020-03-29 https://gitlab.com/apparmor/apparmor/-/merge_requests/463, not in 2.13.x, boo#1167953) +Patch14: make-4.3-capabilities-vim.diff #Bug 1168306 - apparmor prevents the resolver from reading /etc/mdns.allow, and therefore forbids using any custom domain name -Patch10: abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch +Patch15: abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -368,11 +371,12 @@ %patch3 -p1 %patch4 %patch5 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 %build %define _lto_cflags %{nil} ++++++ libapparmor.spec ++++++ --- /var/tmp/diff_new_pack.2ci9Ga/_old 2020-06-04 16:01:01.434908380 +0200 +++ /var/tmp/diff_new_pack.2ci9Ga/_new 2020-06-04 16:01:01.438908394 +0200 @@ -1,7 +1,7 @@ # # spec file for package libapparmor # -# Copyright (c) 2019 SUSE LLC. +# Copyright (c) 2020 SUSE LLC # Copyright (c) 2011-2019 Christian Boltz # # All modifications and additions to the file contributed by third parties @@ -18,7 +18,7 @@ Name: libapparmor -Version: 2.13.3 +Version: 2.13.4 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1-or-later ++++++ apparmor-2.13.3.tar.gz -> apparmor-2.13.4.tar.gz ++++++ /work/SRC/openSUSE:Leap:15.2/apparmor/apparmor-2.13.3.tar.gz /work/SRC/openSUSE:Leap:15.2/.apparmor.new.3606/apparmor-2.13.4.tar.gz differ: char 5, line 1 ++++++ make-4.3-capabilities-vim.diff ++++++ commit 60b005788e79c1be7276349242e0cc97b99f7118 Author: Christian Boltz <[email protected]> Date: Sun Mar 29 00:07:11 2020 +0100 fix capabilities in apparmor.vim https://gitlab.com/apparmor/apparmor/-/merge_requests/461 / e92da079ca12e776991bd36524430bd67c1cb72a changed creating the capabilities to use a script. A side effect is that the list is now separated by \n instead of spaces. Adjust create-apparmor.vim.py to the new output. diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py index 6a5f02a2..b5df957a 100644 --- a/utils/vim/create-apparmor.vim.py +++ b/utils/vim/create-apparmor.vim.py @@ -50,7 +50,7 @@ if rc != 0: sys.stderr.write("make list_capabilities failed: " + output) exit(rc) -capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ") +capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n') benign_caps = [] for cap in capabilities: if cap not in danger_caps: ++++++ make-4.3-capabilities.diff ++++++ commit e92da079ca12e776991bd36524430bd67c1cb72a Author: allgdante <[email protected]> Date: Mon Mar 23 15:09:15 2020 +0000 Generate CAPABILITIES in a script due to make 4.3 This way we could generate the capabilities in a way that works with every version of make. Changes to list_capabilities are intended to exactly replicate the old behavior. diff --git a/common/Make.rules b/common/Make.rules index 357bdec8..ecc6181a 100644 --- a/common/Make.rules +++ b/common/Make.rules @@ -74,19 +74,6 @@ endif pod_clean: -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp -# ===================== -# generate list of capabilities based on -# /usr/include/linux/capabilities.h for use in multiple locations in -# the source tree -# ===================== - -# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2" -CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort) - -.PHONY: list_capabilities -list_capabilities: /usr/include/linux/capability.h - @echo "$(CAPABILITIES)" - # ===================== # manpages # ===================== diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh new file mode 100755 index 00000000..4e37cda7 --- /dev/null +++ b/common/list_capabilities.sh @@ -0,0 +1,14 @@ +#!/bin/bash -e + +# ===================== +# generate list of capabilities based on +# /usr/include/linux/capabilities.h for use in multiple locations in +# the source tree +# ===================== + +echo "#include <linux/capability.h>" | \ + cpp -dM | \ + LC_ALL=C sed -n \ + -e '/CAP_EMPTY_SET/d' \ + -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \ + LC_ALL=C sort diff --git a/parser/Makefile b/parser/Makefile index 2d40b06f..a71b5788 100644 --- a/parser/Makefile +++ b/parser/Makefile @@ -284,7 +284,7 @@ af_names.h: ../common/list_af_names.sh # cat $@ cap_names.h: /usr/include/linux/capability.h - echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@ + ../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@ tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS}) $(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS) diff --git a/utils/Makefile b/utils/Makefile index 8fae738d..80990004 100644 --- a/utils/Makefile +++ b/utils/Makefile @@ -79,7 +79,7 @@ clean: pod_clean .SILENT: check_severity_db check_severity_db: /usr/include/linux/capability.h severity.db # The sed statement is based on the one in the parser's makefile - RC=0 ; for cap in ${CAPABILITIES} ; do \ + RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \ if ! grep -q -w $${cap} severity.db ; then \ echo "Warning! capability $${cap} not found in severity.db" ; \ RC=1 ; \ diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py index fea134f6..6a5f02a2 100644 --- a/utils/vim/create-apparmor.vim.py +++ b/utils/vim/create-apparmor.vim.py @@ -45,7 +45,7 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s return [sp.returncode, out + outerr] # get capabilities list -(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities']) +(rc, output) = cmd(['../../common/list_capabilities.sh']) if rc != 0: sys.stderr.write("make list_capabilities failed: " + output) exit(rc) ++++++ make-4.3-fix-utils-network-test.diff ++++++ commit 9144e39d252cd75dd2d6941154e014f7d46147ca Author: John Johansen <[email protected]> Date: Fri Jun 14 01:04:22 2019 -0700 Revert "utils/test-network.py: fix failing testcase" This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0. this commit was meant for the 2.13 branch not master Signed-off-by: John Johansen <[email protected]> diff --git a/utils/test/test-network.py b/utils/test/test-network.py index 6088327a..ee325abe 100644 --- a/utils/test/test-network.py +++ b/utils/test/test-network.py @@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', class NetworkKeywordsTest(AATest): def test_network_keyword_list(self): - rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) + rc, output = cmd('../../common/list_af_names.sh') self.assertEqual(rc, 0) af_names = [] ++++++ make-4.3-network.diff ++++++ commit cb8c3377babfed4600446d1f60d53d8e2a581578 Author: Eric Chiang <[email protected]> Date: Thu Jan 17 11:02:57 2019 -0800 *: ensure make apparmor_parser is cached This change updates parser/Makefile to respect target dependencies and not rebuild apparmor_parser if nothing's changed. The goal is to allow cross-compiled tests #17 to run on a target system without the tests attempting to rebuild the parser. Two changes were made: * Generate af_names.h in a script so the script timestamp is compared. * Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a Changes to list_af_names are intended to exactly replicate the old behavior. Signed-off-by: Eric Chiang <[email protected]> diff --git a/common/Make.rules b/common/Make.rules index d2149fcd..357bdec8 100644 --- a/common/Make.rules +++ b/common/Make.rules @@ -87,27 +87,6 @@ CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C list_capabilities: /usr/include/linux/capability.h @echo "$(CAPABILITIES)" -# ===================== -# generate list of network protocols based on -# sys/socket.h for use in multiple locations in -# the source tree -# ===================== - -# These are the families that it doesn't make sense for apparmor -# to mediate. We use PF_ here since that is what is required in -# bits/socket.h, but we will rewrite these as AF_. - -FILTER_FAMILIES=PF_UNIX - -__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') - -# emits the AF names in a "AF_NAME NUMBER," pattern -AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2) - -.PHONY: list_af_names -list_af_names: - @echo "$(AF_NAMES)" - # ===================== # manpages # ===================== diff --git a/common/list_af_names.sh b/common/list_af_names.sh new file mode 100755 index 00000000..d7987537 --- /dev/null +++ b/common/list_af_names.sh @@ -0,0 +1,19 @@ +#!/bin/bash -e + +# ===================== +# generate list of network protocols based on +# sys/socket.h for use in multiple locations in +# the source tree +# ===================== + +# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search +# for "PF_" constants since that is what is required in bits/socket.h, but +# rewrite as "AF_". + +echo "#include <sys/socket.h>" | \ + cpp -dM | \ + LC_ALL=C sed -n \ + -e '/PF_UNIX/d' \ + -e 's/PF_LOCAL/PF_UNIX/' \ + -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \ + sort -n -k2 diff --git a/parser/Makefile b/parser/Makefile index 558d9616..9a18f4da 100644 --- a/parser/Makefile +++ b/parser/Makefile @@ -278,10 +278,9 @@ parser_version.h: Makefile # as well as the filtering that occurs for network protocols that # apparmor should not mediate. -.PHONY: af_names.h -af_names.h: - echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@ - echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@ +af_names.h: ../common/list_af_names.sh + ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@ + ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@ # cat $@ cap_names.h: /usr/include/linux/capability.h @@ -301,10 +300,7 @@ tests: apparmor_parser ${TESTS} sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done' $(Q)$(MAKE) -s -C tst tests -# always need to rebuild. -.SILENT: $(AAREOBJECT) -.PHONY: $(AAREOBJECT) -$(AAREOBJECT): +$(AAREOBJECT): FORCE $(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)" .PHONY: install-rhel4 @@ -404,3 +400,4 @@ clean: pod_clean $(MAKE) -s -C po clean $(MAKE) -s -C tst clean +FORCE: diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py index 1ea8191d..ca14df5c 100644 --- a/utils/vim/create-apparmor.vim.py +++ b/utils/vim/create-apparmor.vim.py @@ -57,7 +57,7 @@ for cap in capabilities: benign_caps.append(cap) # get network protos list -(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) +(rc, output) = cmd(['../../common/list_af_names.sh']) if rc != 0: sys.stderr.write("make list_af_names failed: " + output) exit(rc) ++++++ usr-etc-abstractions-base-nameservice.diff ++++++ commit 395e2e87d7d4a28e4574de5960210b40a7c5ea0d Author: Christian Boltz <[email protected]> Date: Sat Jan 25 19:35:50 2020 +0100 adjust abstractions/base and nameservice for /usr/etc/ move References: http://bugzilla.opensuse.org/show_bug.cgi?id=1161756 diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base index cecb126f..6288da76 100644 --- a/profiles/apparmor.d/abstractions/base +++ b/profiles/apparmor.d/abstractions/base @@ -27,9 +27,9 @@ # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). /run/uuidd/request r, - /etc/locale/** r, - /etc/locale.alias r, - /etc/localtime r, + /{usr/,}etc/locale/** r, + /{usr/,}etc/locale.alias r, + /{usr/,}etc/localtime r, /usr/share/locale-bundle/** r, /usr/share/locale-langpack/** r, /usr/share/locale/** r, @@ -52,14 +52,14 @@ /usr/lib/@{multiarch}/gconv/gconv-modules* mr, # used by glibc when binding to ephemeral ports - /etc/bindresvport.blacklist r, + /{usr/,}etc/bindresvport.blacklist r, # ld.so.cache and ld are used to load shared libraries; they are best # available everywhere - /etc/ld.so.cache mr, - /etc/ld.so.conf r, - /etc/ld.so.conf.d/{,*.conf} r, - /etc/ld.so.preload r, + /{usr/,}etc/ld.so.cache mr, + /{usr/,}etc/ld.so.conf r, + /{usr/,}etc/ld.so.conf.d/{,*.conf} r, + /{usr/,}etc/ld.so.preload r, /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr, /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr, /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr, diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice index ec639cda..4024ba1e 100644 --- a/profiles/apparmor.d/abstractions/nameservice +++ b/profiles/apparmor.d/abstractions/nameservice @@ -13,16 +13,16 @@ # looking up users by name or id, groups by name or id, hosts by name # or IP, etc. These operations may be performed through files, dns, # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. - /etc/group r, - /etc/host.conf r, - /etc/hosts r, - /etc/nsswitch.conf r, - /etc/gai.conf r, - /etc/passwd r, - /etc/protocols r, + /{usr/,}etc/group r, + /{usr/,}etc/host.conf r, + /{usr/,}etc/hosts r, + /{usr/,}etc/nsswitch.conf r, + /{usr/,}etc/gai.conf r, + /{usr/,}etc/passwd r, + /{usr/,}etc/protocols r, # libtirpc (used for NIS/YP login) needs this - /etc/netconfig r, + /{usr/,}etc/netconfig r, # When using libnss-extrausers, the passwd and group files are merged from # an alternate path @@ -36,15 +36,15 @@ /var/lib/sss/mc/passwd r, /var/lib/sss/pipes/nss rw, - /etc/resolv.conf r, + /{usr/,}etc/resolv.conf r, # On systems where /etc/resolv.conf is managed programmatically, it is # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf. /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r, - /etc/resolvconf/run/resolv.conf r, + /{usr/,}etc/resolvconf/run/resolv.conf r, /{,var/}run/systemd/resolve/stub-resolv.conf r, - /etc/samba/lmhosts r, - /etc/services r, + /{usr/,}etc/samba/lmhosts r, + /{usr/,}etc/services r, # db backend /var/lib/misc/*.db r, # The Name Service Cache Daemon can cache lookups, sometimes leading @@ -60,14 +60,14 @@ # they are available /{usr/,}lib{,32,64}/libnss_*.so* mr, /{usr/,}lib/@{multiarch}/libnss_*.so* mr, - /etc/default/nss r, + /{usr/,}etc/default/nss r, # avahi-daemon is used for mdns4 resolution /{,var/}run/avahi-daemon/socket rw, # libnl-3-200 via libnss-gw-name @{PROC}/@{pid}/net/psched r, - /etc/libnl-*/classid r, + /{usr/,}etc/libnl-*/classid r, # nis #include <abstractions/nis>
