Hello community,

here is the log from the commit of package mumble for openSUSE:Factory checked 
in at 2020-10-24 15:18:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mumble (Old)
 and      /work/SRC/openSUSE:Factory/.mumble.new.3463 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "mumble"

Sat Oct 24 15:18:36 2020 rev:63 rq:843764 version:1.3.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/mumble/mumble.changes    2020-10-06 
17:12:19.657590364 +0200
+++ /work/SRC/openSUSE:Factory/.mumble.new.3463/mumble.changes  2020-10-24 
15:19:06.364327435 +0200
@@ -0,0 +1,13 @@
+-------------------------------------------------------------------
+Sat Oct 24 02:05:14 UTC 2020 - Marcus Rueckert <mrueck...@suse.de>
+
+- update apparmor profiles to get warning free again on 15.2
+  - use abstractions for ssl files
+  - allow inet dgram sockets as mumble can also work via udp
+  - allow netlink socket (probably for dbus)
+  - properly allow lsb_release again
+  - add support for optional local include
+- start murmurd directly as user mumble-server it gets rid of the
+  dac_override/setgid/setuid/chown permissions
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------

++++++ mumble-server.service ++++++
--- /var/tmp/diff_new_pack.eEzpEw/_old  2020-10-24 15:19:07.024328193 +0200
+++ /var/tmp/diff_new_pack.eEzpEw/_new  2020-10-24 15:19:07.024328193 +0200
@@ -14,6 +14,8 @@
 After=var-run.mount network.target remote-fs.target time-sync.target 
mysql.target
 
 [Service]
+User=mumble-server
+Group=mumble-server
 ExecStart=/usr/sbin/murmurd -fg -ini /etc/mumble-server.ini
 
 [Install]


++++++ murmur.apparmor ++++++
--- /var/tmp/diff_new_pack.eEzpEw/_old  2020-10-24 15:19:07.056328230 +0200
+++ /var/tmp/diff_new_pack.eEzpEw/_new  2020-10-24 15:19:07.056328230 +0200
@@ -8,23 +8,14 @@
   #include <abstractions/ssl_certs>
   #include <abstractions/user-tmp>
 
-  /etc/ssl/certs/** r,
-  deny /usr/share/ssl/ r,
-  deny /usr/share/ssl/** r,
-
-# FIXME: mumble has weird capability handling. None of the first four should be
-# needed if the code is adjusted
-  capability dac_override,
-  capability setgid,
-  capability setuid,
-  capability chown,
-
-# needed for real time scheduling of the mixer threads
+  # needed for real time scheduling of the mixer threads
   capability sys_resource,
-# not needed anymore
-# capability net_admin,
 
+  network inet dgram,
   network inet stream,
+  network netlink,
+
+  /usr/share/icu/*/icu*.dat r,
 
   /etc/mumble-server.ini rk,
   /usr/bin/lsb_release cx,
@@ -37,14 +28,15 @@
     #include <abstractions/base>
     #include <abstractions/consoles>
 
-    /{usr/,}bin/bash r,
+    /{usr/,}bin/bash rm,
     /proc/meminfo r,
-    /usr/bin/getopt rix,
-    /usr/bin/head rix,
-    /usr/bin/grep rix,
-    /usr/bin/sed rix,
-    /usr/bin/cut rix,
+    /usr/bin/getopt rmix,
+    /usr/bin/head rmix,
+    /usr/bin/grep rmix,
+    /usr/bin/sed rmix,
+    /usr/bin/cut rmix,
     /usr/bin/lsb_release r,
     /etc/SuSE-release r,
   }
+  #include if exists <local/usr.sbin.murmurd>
 }


Reply via email to