Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2022-05-05 23:04:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Thu May 5 23:04:38 2022 rev:171 rq:974768 version:3.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2022-04-30 00:45:41.278959213 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new.1538/apparmor.changes 2022-05-05 23:04:43.677432572 +0200 @@ -1,0 +2,9 @@ +Fri Apr 29 11:48:14 UTC 2022 - Christian Boltz <suse-b...@cboltz.de> + +- add php8-fpm-mr876.patch so that php8 php-fpm can read its config + (boo#1186267#c11) +- parser: add conflict with apparmor-utils < 3.0 to avoid aa-status + file conflict on upgrade (boo#1198958) +- utils: add missing dependency on apparmor-parser (boo#1198958#c4) + +------------------------------------------------------------------- New: ---- php8-fpm-mr876.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.GkkHEF/_old 2022-05-05 23:04:44.345433406 +0200 +++ /var/tmp/diff_new_pack.GkkHEF/_new 2022-05-05 23:04:44.353433416 +0200 @@ -77,24 +77,32 @@ # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527) Patch6: apache-extra-profile-include-if-exists.diff + # bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd -# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/860) +# merged upstream 3.0+master 2022-03-14 https://gitlab.com/apparmor/apparmor/-/merge_requests/860 # bsc#1195463 add rule to allow reading of openssl.cnf -# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862) +# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862 Patch7: update-samba-bgqd.diff + # bsc#1195463 add rule to allow reading of openssl.cnf -# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862) +# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862 Patch8: update-usr-sbin-smbd.diff -# add zgrep and xzgrep profile (submitted upstream 2022-04-10 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + 2022-04-16 https://gitlab.com/apparmor/apparmor/-/merge_requests/873) +# add zgrep and xzgrep profile (merged upstream 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + 2022-04-18 https://gitlab.com/apparmor/apparmor/-/merge_requests/873 - master only) Patch9: zgrep-profile-mr870.diff -# squash noisy setsockopt calls https://gitlab.com/apparmor/apparmor/-/merge_requests/867 + +# squash noisy setsockopt calls - merged upstream master+3.0 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/867 # bsc#1196850 Patch10: samba_deny_net_admin.patch + # support for new dcerpcd subsytem in >= samba-4.16 -# https://gitlab.com/apparmor/apparmor/-/merge_requests/871 +# merged upstream 2022-04-15 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/871 # bsc#1198309 Patch11: samba-new-dcerpcd.patch + +# allow php8 php-fpm to read its config (from upstream master+3.0 https://gitlab.com/apparmor/apparmor/-/merge_requests/876) +Patch12: php8-fpm-mr876.patch + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor @@ -135,6 +143,7 @@ Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later Group: Productivity/Networking/Security +Conflicts: apparmor-utils < 3.0 Obsoletes: libimnxcert < 2.9 Obsoletes: subdomain-leaf-cert < 2.9 Obsoletes: subdomain-parser < 2.9 @@ -281,6 +290,7 @@ Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles License: GPL-2.0-only AND LGPL-2.1-or-later Group: Productivity/Security +Requires: apparmor-parser Requires: libapparmor1 = %{version} Requires: python3-apparmor = %{version} Requires: python3-base @@ -362,6 +372,7 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 %build %define _lto_cflags %{nil} ++++++ php8-fpm-mr876.patch ++++++ >From c946f0bf75f9529014c79ff591d6f953ce56b416 Mon Sep 17 00:00:00 2001 From: Christian Boltz <appar...@cboltz.de> Date: Mon, 18 Apr 2022 20:49:22 +0200 Subject: [PATCH] Allow reading all of /etc/php[578]/** in abstractions/php ... and with that, make a rule in the php-fpm profile (which missed php8) superfluous. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11 --- profiles/apparmor.d/abstractions/php | 3 +-- profiles/apparmor.d/php-fpm | 2 -- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/profiles/apparmor.d/abstractions/php b/profiles/apparmor.d/abstractions/php index ddafb0770..6bf0dc798 100644 --- a/profiles/apparmor.d/abstractions/php +++ b/profiles/apparmor.d/abstractions/php @@ -13,8 +13,7 @@ abi <abi/3.0>, # shared snippets for config files - /etc/php{,5,7,8}/**/ r, - /etc/php{,5,7,8}/**.ini r, + /etc/php{,5,7,8}/** r, # Xlibs /usr/X11R6/lib{,32,64}/lib*.so* mr, diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm index b25762c50..14b3c7195 100644 --- a/profiles/apparmor.d/php-fpm +++ b/profiles/apparmor.d/php-fpm @@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) { # read the system certificates include <abstractions/ssl_certs> - /etc/php{,5,7}/** r, - capability net_admin, # change user/group of a pool capability setuid, -- GitLab