[Bug 1134289] New: ghostscript should not have a hard dependency on AppArmor
http://bugzilla.suse.com/show_bug.cgi?id=1134289 Bug ID: 1134289 Summary: ghostscript should not have a hard dependency on AppArmor Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: max@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- As a matter of personal preference I ususally set a "don't install" lock on AppArmor in my installations. But with sr#687694 a hard runtime dependency on apparmor-abstractions was added to the ghostscript package, which in turn pulls other AppArmor packages and makes it impossible to have an AppArmor-free system with ghostscript. As AppArmor is optional, I don't think packages like ghostscript should have such a hard dependency on it. Instead it should either be a weak dependency or no dependency at all. If a hard dependency is needed for some reason the AppArmor stuff for GS should be in an optional subpackage to retain the possibility to install GS without AppArmor. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1134289 Reinhard Max <max@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com, | |jsmeix@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1134289 http://bugzilla.suse.com/show_bug.cgi?id=1134289#c1 Johannes Meixner <jsmeix@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED URL| |https://bugzilla.suse.com/s | |how_bug.cgi?id=1128608 Hardware|Other |All Found By|--- |Development Summary|ghostscript should not have |ghostscript should not have |a hard dependency on |a hard dependency on |AppArmor |AppArmor via "Requires: | |apparmor-abstractions" OS|Other |openSUSE Factory --- Comment #1 from Johannes Meixner <jsmeix@suse.com> --- I think the hard dependency on AppArmor via "Requires: apparmor-abstractions" was added because of bug#1128608 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1134289 http://bugzilla.suse.com/show_bug.cgi?id=1134289#c2 --- Comment #2 from Reinhard Max <max@suse.com> --- AFAICS %apparmor_reload does not produce code that has a hard requirement on any aparmor package: if [ "$YAST_IS_RUNNING" != "instsys" ]; then if /usr/bin/systemctl is-active --quiet apparmor.service; then /sbin/apparmor_parser -r -T -W /etc/apparmor.d/ghostscript &> /dev/null || : fi fi So, /sbin/apparmor_parser only gets run if apparmor.service is active, which can only be the case when the respective packages are installed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1134289 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1134289 https://bugzilla.suse.com/show_bug.cgi?id=1134289#c5 Johannes Meixner <jsmeix@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- OS|openSUSE Factory |All --- Comment #5 from Johannes Meixner <jsmeix@suse.com> --- Now there is the OBS submitrequest https://build.opensuse.org/request/show/967447 to remove "Requires: apparmor-abstractions" from ghostscript.spec But I know basically nothing about AppArmor so I cannot make an educated decision (in particular not because it belongs to security) whether or not Ghostscript should require apparmor-abstractions -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1134289 https://bugzilla.suse.com/show_bug.cgi?id=1134289#c7 --- Comment #7 from Johannes Segitz <jsegitz@suse.com> --- From a security POV having this hard require is preferred as recommending it would cause quite a few systems not getting this protection. But I agree that with us doing more and more SELinux this is a problem, so I'm fine with this being dropped/converted. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1134289 https://bugzilla.suse.com/show_bug.cgi?id=1134289#c8 --- Comment #8 from Johannes Meixner <jsmeix@suse.com> --- I accepted https://build.opensuse.org/request/show/967447 "as is" i.e. it only removes "Requires: apparmor-abstractions" from ghostscript.spec because it "just builds" this way. Regarding whether or not Ghostscript has to package the /etc/apparmor.d/ directory there is already in ghostscript.spec ---------------------------------------------------- %if 0%{?suse_version} < 1500 %dir %{_sysconfdir}/apparmor.d %endif %{_sysconfdir}/apparmor.d/ghostscript ---------------------------------------------------- so the ghostscript RPM for SLE12 contains ---------------------------------------------------- drwxr-xr-x root root /etc/apparmor.d -rw-r--r-- root root /etc/apparmor.d/ghostscript ---------------------------------------------------- while the ghostscript RPM for SLE15 contains only ---------------------------------------------------- -rw-r--r-- root root /etc/apparmor.d/ghostscript ---------------------------------------------------- which seems to be OK. If /etc/apparmor.d/ was missing I would expect the build fails (I remember build failures if there are missing directories). -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com