Hello community, here is the log from the commit of package rsyslog for openSUSE:Factory checked in at 2015-05-10 10:46:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rsyslog (Old) and /work/SRC/openSUSE:Factory/.rsyslog.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rsyslog" Changes: -------- --- /work/SRC/openSUSE:Factory/rsyslog/rsyslog.changes 2015-04-22 01:18:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rsyslog.new/rsyslog.changes 2015-05-10 10:47:00.000000000 +0200 @@ -1,0 +2,14 @@ +Thu Apr 30 12:39:07 UTC 2015 - jeng...@inai.de + +- Documentation does not depend on the presence of anything + +------------------------------------------------------------------- +Mon Apr 27 14:53:52 UTC 2015 - jseg...@novell.com + +- Adjusted apparmor profile based on the suggestions by Christian Boltz + * Removed empty files: module-pgsql, module-relp, module-gssapi, module-gtls + * Moved profiles to /usr/share/apparmor/extra-profiles/ + * Blocked capability block_suspend + plus some other small fixes + +------------------------------------------------------------------- Old: ---- module-gssapi module-gtls module-pgsql module-relp ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rsyslog.spec ++++++ --- /var/tmp/diff_new_pack.B0pRR2/_old 2015-05-10 10:47:01.000000000 +0200 +++ /var/tmp/diff_new_pack.B0pRR2/_new 2015-05-10 10:47:01.000000000 +0200 @@ -200,13 +200,9 @@ Source4: rsyslog.d.remote.conf.in Source5: rsyslog-service-prepare.in Source6: usr.sbin.rsyslogd -Source7: module-gssapi -Source8: module-gtls -Source9: module-mysql -Source10: module-pgsql -Source11: module-relp -Source12: module-snmp -Source13: module-udpspoof +Source7: module-mysql +Source8: module-snmp +Source9: module-udpspoof Source14: http://www.rsyslog.com/files/download/rsyslog/rsyslog-doc-%{upstream_version}.tar.gz Source15: rsyslog.firewall @@ -215,11 +211,10 @@ # this is a dirty hack since % dir does only work for the specified directory and nothing above # but I want to be able to switch this to /etc/apparmor.d once the profiles received more testing -%define APPARMOR_PROFILE_PATH /etc/apparmor/profiles/extras -%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /etc/apparmor/ \ - %dir /etc/apparmor/profiles \ - %dir /etc/apparmor/profiles/extras \ - %dir /etc/apparmor/profiles/extras/rsyslog.d +%define APPARMOR_PROFILE_PATH /usr/share/apparmor/extra-profiles +%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /usr/share/apparmor \ + %dir /usr/share/apparmor/extra-profiles \ + %dir /usr/share/apparmor/extra-profiles/rsyslog.d %description Rsyslog is an enhanced multi-threaded syslogd supporting, among others, @@ -231,7 +226,6 @@ setup for the novice user. %package doc -Requires: %{name} = %{version} Summary: Additional documentation for rsyslog Group: System/Daemons @@ -737,26 +731,14 @@ chmod 644 %{buildroot}%{rsyslog_sockets_cfg} mkdir -p %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ install -m0640 %{SOURCE6} %{buildroot}%{APPARMOR_PROFILE_PATH}/ -%if %{with gssapi} - install -m0640 %{SOURCE7} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ -%endif -%if %{with gnutls} - install -m0640 %{SOURCE8} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ -%endif %if %{with mysql} - install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ -%endif -%if %{with pgsql} - install -m0640 %{SOURCE10} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ -%endif -%if %{with relp} - install -m0640 %{SOURCE11} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ + install -m0640 %{SOURCE7} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ %endif %if %{with snmp} - install -m0640 %{SOURCE12} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ + install -m0640 %{SOURCE8} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ %endif %if %{with udpspoof} - install -m0640 %{SOURCE13} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ + install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/ %endif # firewall config @@ -994,7 +976,6 @@ %{rsyslog_module_dir_withdeps}/omgssapi.so %{rsyslog_module_dir_withdeps}/imgssapi.so %{rsyslog_module_dir_withdeps}/lmgssutil.so -%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gssapi %endif %if %{with mysql} @@ -1012,7 +993,6 @@ %defattr(-,root,root) %doc %{rsyslogdocdir}/pgsql-createDB.sql %{rsyslog_module_dir_withdeps}/ompgsql.so -%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-pgsql %endif %if %{with dbi} @@ -1036,7 +1016,6 @@ %files module-gtls %defattr(-,root,root) %{rsyslog_module_dir_withdeps}/lmnsd_gtls.so -%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gtls %endif %if %{with relp} @@ -1045,7 +1024,6 @@ %defattr(-,root,root) %{rsyslog_module_dir_withdeps}/imrelp.so %{rsyslog_module_dir_withdeps}/omrelp.so -%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-relp %endif %if %{with mmnormalize} ++++++ module-mysql ++++++ --- /var/tmp/diff_new_pack.B0pRR2/_old 2015-05-10 10:47:01.000000000 +0200 +++ /var/tmp/diff_new_pack.B0pRR2/_new 2015-05-10 10:47:01.000000000 +0200 @@ -3,4 +3,4 @@ #include <abstractions/p11-kit> /etc/my.cnf r, /etc/my.cnf.d/ r, - /etc/my.cnf.d/default_plugins.cnf r, + /etc/my.cnf.d/* r, ++++++ usr.sbin.rsyslogd ++++++ --- /var/tmp/diff_new_pack.B0pRR2/_old 2015-05-10 10:47:01.000000000 +0200 +++ /var/tmp/diff_new_pack.B0pRR2/_new 2015-05-10 10:47:01.000000000 +0200 @@ -16,11 +16,11 @@ # general networking is allowed here #include <abstractions/nameservice> - capability block_suspend, capability dac_override, capability sys_nice, capability sys_tty_config, capability syslog, + deny capability block_suspend, /dev/tty* w, /dev/xconsole rw, @@ -33,6 +33,7 @@ /usr/sbin/rsyslogd mr, /var/log/** rw, + /var/lib/*/dev/log w, /proc/kmsg r, @@ -43,4 +44,9 @@ # include rules for rsyslog-module-* packages # change that to <rsyslog.d> once it is moved to /etc/apparmor.d #include "/etc/apparmor/profiles/extras/rsyslog.d" + + # for logging via TLS (rsyslog-module-gtls) + # keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here + # rsyslog tries to write to the certificates for no reason, so deny this quietly + deny /etc/rsyslog.d/* w, }
