Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2021-04-29 22:44:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new.1947 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Thu Apr 29 22:44:40 2021 rev:151 rq:888863 version:3.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2021-03-02 15:12:18.425367735 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new.1947/apparmor.changes 2021-04-29 22:44:52.172173882 +0200 @@ -1,0 +2,12 @@ +Tue Apr 27 16:48:25 UTC 2021 - Christian Boltz <[email protected]> + +- add crypto-policies-mr720.diff to allow reading crypto policies + in abstractions/ssl_certs (boo#1183597) + +------------------------------------------------------------------- +Sat Mar 27 22:56:06 UTC 2021 - Christian Boltz <[email protected]> + +- replace %{?systemd_requires} with %{?systemd_ordering} to avoid dragging in + systemd into containers just because apparmor-parser ships a *.service file + +------------------------------------------------------------------- New: ---- crypto-policies-mr720.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.UjXDjb/_old 2021-04-29 22:44:52.856170836 +0200 +++ /var/tmp/diff_new_pack.UjXDjb/_new 2021-04-29 22:44:52.860170818 +0200 @@ -78,6 +78,9 @@ # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527) Patch6: apache-extra-profile-include-if-exists.diff +# allow reading crypto policies (submitted upstream 2021-03-08 - https://gitlab.com/apparmor/apparmor/-/merge_requests/720) +Patch7: crypto-policies-mr720.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor @@ -132,7 +135,7 @@ Provides: subdomain_parser = %{version} Provides: apparmor-parser(CAP_SYSLOG) BuildRequires: systemd-rpm-macros -%{?systemd_requires} +%{?systemd_ordering} %description parser The AppArmor Parser is a userlevel program that is used to load in @@ -341,6 +344,7 @@ %patch3 -p1 %patch4 %patch5 +%patch7 -p1 %build %define _lto_cflags %{nil} ++++++ libapparmor.spec ++++++ --- /var/tmp/diff_new_pack.UjXDjb/_old 2021-04-29 22:44:52.884170711 +0200 +++ /var/tmp/diff_new_pack.UjXDjb/_new 2021-04-29 22:44:52.888170694 +0200 @@ -37,7 +37,6 @@ change_hat(2) symbol, used for sub-process confinement by AppArmor, as well as functions to parse AppArmor log messages. - %package -n libapparmor1 Summary: Utility library for AppArmor Group: System/Libraries @@ -63,8 +62,6 @@ These libraries are needed for developing software that makes use of the AppArmor API. - - %prep %setup -q -n apparmor-%{version} ++++++ crypto-policies-mr720.diff ++++++ [current version of https://gitlab.com/apparmor/apparmor/-/merge_requests/720 - might still be changed or extended, but this patch solves the most urgent denials] >From 0aea44f43a1d6cd6b7ebd32bbff803455b3aad44 Mon Sep 17 00:00:00 2001 From: Christian Boltz <[email protected]> Date: Mon, 8 Mar 2021 01:20:24 +0100 Subject: [PATCH] abstractions/ssl_certs: allow reading crypto policies See https://gitlab.com/redhat-crypto/fedora-crypto-policies for details. Reported by darix and also my own audit.log - the actual denial was for /usr/share/crypto-policies/DEFAULT/openssl.txt. (I'm aware that the crypto policies are not really certificates, but since they are used by several crypto libraries, ssl_certs is probably the best place for them even if the filename doesn't match.) --- profiles/apparmor.d/abstractions/ssl_certs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs index 57d0f41a2..0392c0ccc 100644 --- a/profiles/apparmor.d/abstractions/ssl_certs +++ b/profiles/apparmor.d/abstractions/ssl_certs @@ -41,5 +41,8 @@ /etc/certbot/archive/*/chain*.pem r, /etc/certbot/archive/*/fullchain*.pem r, + # crypto policies used by various libraries + /usr/share/crypto-policies/*/*.txt r, + # Include additions to the abstraction include if exists <abstractions/ssl_certs.d> -- GitLab
