Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2024-03-02 23:23:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new.1770 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Sat Mar 2 23:23:23 2024 rev:204 rq:1154197 version:3.1.7 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2024-02-28 19:44:57.201092502 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new.1770/apparmor.changes 2024-03-02 23:23:23.219197828 +0100 @@ -1,0 +2,13 @@ +Fri Mar 1 20:54:12 UTC 2024 - Christian Boltz <suse-b...@cboltz.de> + +- Remove workaround for boo#853019 in %postun parser - + apparmor.service contains a more safe workaround. + This also fixes boo#1220708 (missing daemon-reload). + +------------------------------------------------------------------- +Tue Feb 27 14:26:58 UTC 2024 - Noel Power <nopo...@suse.com> + +- Add smbd-unix_chkpwd.diff to allow smbd to execute + unix_chkpwd and fix other pam related denies; (boo#1220032). + +------------------------------------------------------------------- @@ -9,0 +23,6 @@ + +------------------------------------------------------------------- +Tue Feb 20 02:41:09 UTC 2024 - David Disseldorp <dd...@suse.com> + +- Only run utils and profiles make check if kernel LSM is enabled + (bsc#1220084) New: ---- smbd-unix_chkpwd.diff BETA DEBUG BEGIN: New: - Add smbd-unix_chkpwd.diff to allow smbd to execute unix_chkpwd and fix other pam related denies; (boo#1220032). BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.7uC6OE/_old 2024-03-02 23:23:24.775254193 +0100 +++ /var/tmp/diff_new_pack.7uC6OE/_new 2024-03-02 23:23:24.779254338 +0100 @@ -98,6 +98,10 @@ # abstractions/openssl: allow version specific engdef & engines paths (boo#1219571) Patch10: apparmor-abstractions-openssl-allow-version-specific-en.patch +# allow smbd to execute unix_chkpwd (boo#1220032) +# https://gitlab.com/apparmor/apparmor/-/merge_requests/1159 +Patch11: smbd-unix_chkpwd.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison @@ -367,6 +371,7 @@ %endif %patch -P 9 -p1 %patch -P 10 -p1 +%patch -P 11 -p1 %build export SUSE_ASNEEDED=0 @@ -429,17 +434,24 @@ make check -C parser make check -C binutils -# profiles make check fails for the utils (they expect /sbin/apparmor_parser to exist), therefore only do parser-based check -make -C profiles check-parser +# some tests depend on kernel LSM (e.g. access /proc/PID/attr/apparmor/current) +if grep -q apparmor /sys/kernel/security/lsm; then + # profiles make check fails for the utils (they expect + # /sbin/apparmor_parser to exist), therefore only do parser-based check + make -C profiles check-parser -# test for a few files that should exist in the cache %if %{with precompiled_cache} -test -f profiles/cache/*/bin.ping -test -f profiles/cache/*/.features + # test for a few files that should exist in the cache + test -f profiles/cache/*/bin.ping + test -f profiles/cache/*/.features %endif -# run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121 -make check -o check_lint -C utils + # run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121 + make check -o check_lint -C utils +else + # clear grep status to avoid flagging check failure + true +fi %install # libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec @@ -736,13 +748,9 @@ %service_del_preun apparmor.service %postun parser -# don't call try-restart, see bnc#853019 -%if 0%{?suse_version} <= 1500 -export DISABLE_RESTART_ON_UPDATE="yes" +# bnc#853019 aka boo#853019 is still a thing, but in the meantime apparmor.service has ExecStop=/bin/true (= do nothing), +# which means that 'systemctl restart apparmor' is safe now %service_del_postun apparmor.service -%else -%service_del_postun_without_restart apparmor.service -%endif %posttrans abstractions # workaround for bnc#904620#c8 / lp#1392042 ++++++ smbd-unix_chkpwd.diff ++++++ Index: apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd =================================================================== --- apparmor-3.1.7.orig/profiles/apparmor.d/usr.sbin.smbd +++ apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd @@ -33,6 +33,9 @@ profile smbd /usr/{bin,sbin}/smbd { /etc/samba/* rwk, @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/core_pattern r, + /usr/etc/environment r, + /usr/etc/security/limits.d/ r, + /usr/etc/security/limits.d/*.conf r, /usr/lib*/samba/vfs/*.so mr, /usr/lib*/samba/auth/*.so mr, /usr/lib*/samba/charset/*.so mr, @@ -47,6 +50,7 @@ profile smbd /usr/{bin,sbin}/smbd { /usr/share/samba/** r, /usr/{bin,sbin}/smbd mr, /usr/{bin,sbin}/smbldap-useradd Px, + /usr/sbin/unix_chkpwd Px, /var/cache/samba/** rwk, /var/{cache,lib}/samba/printing/printers.tdb mrw, /var/lib/nscd/netgroup r, @@ -59,6 +63,8 @@ profile smbd /usr/{bin,sbin}/smbd { @{run}/samba/ncalrpc/** rw, /var/spool/samba/** rw, + owner /proc/@{pid}/loginuid r, + @{HOMEDIRS}/** lrwk, /var/lib/samba/usershares/{,**} lrwk,
