openSUSE Recommended Update: AppArmor ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:1481-1 Rating: moderate References: #846586 #848215 #850374 #851131 #852018 #853019 #856651 #857122 #863226 #869787 #870607 #885317 #886225 #889650 #889651 #889652 #892374 #899746 #904620 Affected Products: openSUSE 12.3 ______________________________________________________________________________ An update that has 19 recommended fixes can now be installed. Description: This recommended update for AppArmor fixes the following issues: - NOTE: Please consider a reboot after installing the update to resolve bnc#853019 - NOTE: The %postun from the previously installed apparmor-parser package will remove AppArmor protection from running processes a last time. Run aa-status to get a list of processes you need to restart, or reboot your computer. - Update from version 2.8.2 to 2.8.4 and several bugfixes + delete cache in apparmor-profiles %post (workaround for bnc#904620#c8 / lp#1392042) + mod_apparmor: try uri hat after AADefaultHatName, not before. Fixes the regression in 2.8.3 (lp#1322778) + libapparmor: fix log parsing memory leaks (lp#1340927) + parser: Fix profile loads from cache files that contain multiple profiles + several profiles and abstractions/* updates (including bnc#857122#c2, bnc#899746, bnc#869787, bnc#886225) + see http://wiki.apparmor.net/index.php/ReleaseNotes_2_8_4 for details + add Provides: apparmor-abstractions to apparmor-profiles + Allow dnsmasq read access to interface mtu in /proc/sys/net/ipv6/conf/<ifacename>/mtu (bnc#892374) + Rename rpmlintrc to %{name}-rpmlintrc to follow the packaging guidelines. + perl-apparmor: Fix handling of network (or network all) (bnc#889650) + perl-apparmor: Fix handling of capability keyword (bnc#889651) + perl-apparmor: Properly handle bare file keyword (bnc#889652) + permit clustered Samba access to CTDB socket and databases (bnc#885317) + update usr.sbin.winbindd profile (bnc#870607) + restrict rw access to /var/cache/krb5rcache/ instead /var/tmp/ + update usr.sbin.winbindd profile (bnc#870607) * treat passdb.tdb.tmp as passdb.tdb * allow rw access to /var/tmp/ + add Recommends: libnotify-tools to apparmor-utils (aa-notify -p needs notify-send) + fix some cache clearing bugs in apparmor_parser + various fixes in mod_apparmor + several profile updates, most of them were already included as patches (except abstractions/winbind (bnc#863226), abstractions/fonts and abstractions/p11-kit) + see http://wiki.apparmor.net/index.php/ReleaseNotes_2_8_3 for all details + use current ruby macros, the rb_sitearch is obsolete since at least 12.1 + allow access to pid file and supplemental config directory + add Recommends: net-tools to apparmor-utils (needed by aa-unconfined) + allow dnsmasq read config created be recent NetworkManager + allow samba to mkdir /var/run/samba and /var/cache/samba (bnc#856651) + add abstractions/samba to usr.sbin.winbindd profile + add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131) + %restart_on_update (in parser %postun) is "translated" to stop/start by the systemd wrapper, which removes AppArmor protection from running processes. (bnc#853019) * NOTE: The %postun from the previously installed apparmor-parser package will remove AppArmor protection from running processes a last time. Run aa-status to get a list of processes you need to restart, or reboot your computer. + reload profiles in %post of the apparmor-profiles package + allow access to certificates in /var/lib/ca-certificates/ (bnc#852018) + updated driftfile location for ntpd (bnc#850374) + usr.sbin.winbindd: some more profile updates for samba 4.x and kerberos (bnc#846586#c12 and #c15) + add missing permissions for libvirt-generated files to dnsmasq profile (bnc#848215) Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2014-708 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): apache2-mod_apparmor-2.8.4-3.8.1 apache2-mod_apparmor-debuginfo-2.8.4-3.8.1 apparmor-debugsource-2.8.4-3.8.1 apparmor-parser-2.8.4-3.8.1 apparmor-parser-debuginfo-2.8.4-3.8.1 libapparmor-devel-2.8.4-3.8.1 libapparmor1-2.8.4-3.8.1 libapparmor1-debuginfo-2.8.4-3.8.1 pam_apparmor-2.8.4-3.8.1 pam_apparmor-debuginfo-2.8.4-3.8.1 perl-apparmor-2.8.4-3.8.1 perl-apparmor-debuginfo-2.8.4-3.8.1 python3-apparmor-2.8.4-3.8.1 python3-apparmor-debuginfo-2.8.4-3.8.1 ruby-apparmor-2.8.4-3.8.1 ruby-apparmor-debuginfo-2.8.4-3.8.1 - openSUSE 12.3 (x86_64): libapparmor1-32bit-2.8.4-3.8.1 libapparmor1-debuginfo-32bit-2.8.4-3.8.1 pam_apparmor-32bit-2.8.4-3.8.1 pam_apparmor-debuginfo-32bit-2.8.4-3.8.1 - openSUSE 12.3 (noarch): apparmor-docs-2.8.4-3.8.1 apparmor-parser-lang-2.8.4-3.8.1 apparmor-profiles-2.8.4-3.8.1 apparmor-utils-2.8.4-3.8.1 apparmor-utils-lang-2.8.4-3.8.1 References: https://bugzilla.suse.com/show_bug.cgi?id=846586 https://bugzilla.suse.com/show_bug.cgi?id=848215 https://bugzilla.suse.com/show_bug.cgi?id=850374 https://bugzilla.suse.com/show_bug.cgi?id=851131 https://bugzilla.suse.com/show_bug.cgi?id=852018 https://bugzilla.suse.com/show_bug.cgi?id=853019 https://bugzilla.suse.com/show_bug.cgi?id=856651 https://bugzilla.suse.com/show_bug.cgi?id=857122 https://bugzilla.suse.com/show_bug.cgi?id=863226 https://bugzilla.suse.com/show_bug.cgi?id=869787 https://bugzilla.suse.com/show_bug.cgi?id=870607 https://bugzilla.suse.com/show_bug.cgi?id=885317 https://bugzilla.suse.com/show_bug.cgi?id=886225 https://bugzilla.suse.com/show_bug.cgi?id=889650 https://bugzilla.suse.com/show_bug.cgi?id=889651 https://bugzilla.suse.com/show_bug.cgi?id=889652 https://bugzilla.suse.com/show_bug.cgi?id=892374 https://bugzilla.suse.com/show_bug.cgi?id=899746 https://bugzilla.suse.com/show_bug.cgi?id=904620