Hello community, here is the log from the commit of package mumble for openSUSE:Factory checked in at 2020-10-24 15:18:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mumble (Old) and /work/SRC/openSUSE:Factory/.mumble.new.3463 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mumble" Sat Oct 24 15:18:36 2020 rev:63 rq:843764 version:1.3.3 Changes: -------- --- /work/SRC/openSUSE:Factory/mumble/mumble.changes 2020-10-06 17:12:19.657590364 +0200 +++ /work/SRC/openSUSE:Factory/.mumble.new.3463/mumble.changes 2020-10-24 15:19:06.364327435 +0200 @@ -0,0 +1,13 @@ +------------------------------------------------------------------- +Sat Oct 24 02:05:14 UTC 2020 - Marcus Rueckert <mrueck...@suse.de> + +- update apparmor profiles to get warning free again on 15.2 + - use abstractions for ssl files + - allow inet dgram sockets as mumble can also work via udp + - allow netlink socket (probably for dbus) + - properly allow lsb_release again + - add support for optional local include +- start murmurd directly as user mumble-server it gets rid of the + dac_override/setgid/setuid/chown permissions + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mumble-server.service ++++++ --- /var/tmp/diff_new_pack.eEzpEw/_old 2020-10-24 15:19:07.024328193 +0200 +++ /var/tmp/diff_new_pack.eEzpEw/_new 2020-10-24 15:19:07.024328193 +0200 @@ -14,6 +14,8 @@ After=var-run.mount network.target remote-fs.target time-sync.target mysql.target [Service] +User=mumble-server +Group=mumble-server ExecStart=/usr/sbin/murmurd -fg -ini /etc/mumble-server.ini [Install] ++++++ murmur.apparmor ++++++ --- /var/tmp/diff_new_pack.eEzpEw/_old 2020-10-24 15:19:07.056328230 +0200 +++ /var/tmp/diff_new_pack.eEzpEw/_new 2020-10-24 15:19:07.056328230 +0200 @@ -8,23 +8,14 @@ #include <abstractions/ssl_certs> #include <abstractions/user-tmp> - /etc/ssl/certs/** r, - deny /usr/share/ssl/ r, - deny /usr/share/ssl/** r, - -# FIXME: mumble has weird capability handling. None of the first four should be -# needed if the code is adjusted - capability dac_override, - capability setgid, - capability setuid, - capability chown, - -# needed for real time scheduling of the mixer threads + # needed for real time scheduling of the mixer threads capability sys_resource, -# not needed anymore -# capability net_admin, + network inet dgram, network inet stream, + network netlink, + + /usr/share/icu/*/icu*.dat r, /etc/mumble-server.ini rk, /usr/bin/lsb_release cx, @@ -37,14 +28,15 @@ #include <abstractions/base> #include <abstractions/consoles> - /{usr/,}bin/bash r, + /{usr/,}bin/bash rm, /proc/meminfo r, - /usr/bin/getopt rix, - /usr/bin/head rix, - /usr/bin/grep rix, - /usr/bin/sed rix, - /usr/bin/cut rix, + /usr/bin/getopt rmix, + /usr/bin/head rmix, + /usr/bin/grep rmix, + /usr/bin/sed rmix, + /usr/bin/cut rmix, /usr/bin/lsb_release r, /etc/SuSE-release r, } + #include if exists <local/usr.sbin.murmurd> }