Hello community, here is the log from the commit of package apparmor-profiles checked in at Fri Nov 17 02:02:07 CET 2006. -------- --- apparmor-profiles/apparmor-profiles.changes 2006-11-15 00:18:35.000000000 +0100 +++ /mounts/work_src_done/NOARCH/apparmor-profiles/apparmor-profiles.changes 2006-11-17 01:44:27.000000000 +0100 @@ -1,0 +2,7 @@ +Fri Nov 17 01:43:08 CET 2006 - srarnold@suse.de + +- Bug 221567 - apparmor causes kernel lockup if there is any audit backlog + - remove netstat profile as it will trigger this bug easily +- Bug 221111 - ntpd needs access to /proc/net/if_inet6 + +------------------------------------------------------------------- Old: ---- apparmor-profiles-2.0.1-233.tar.gz New: ---- apparmor-profiles-2.0.1-240.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor-profiles.spec ++++++ --- /var/tmp/diff_new_pack.a70AWn/_old 2006-11-17 02:01:55.000000000 +0100 +++ /var/tmp/diff_new_pack.a70AWn/_new 2006-11-17 02:01:55.000000000 +0100 @@ -16,9 +16,9 @@ %endif Summary: AppArmor profiles that are loaded into the apparmor kernel module Version: 2.0.1 -Release: 5 +Release: 7 Group: Productivity/Security -Source0: %{name}-%{version}-233.tar.gz +Source0: %{name}-%{version}-240.tar.gz License: GNU General Public License (GPL), Other License(s), see package BuildRoot: %{_tmppath}/%{name}-%{version}-build URL: http://forge.novell.com/modules/xfmod/project/?apparmor @@ -77,6 +77,10 @@ %preun %changelog -n apparmor-profiles +* Fri Nov 17 2006 - srarnold@suse.de +- Bug 221567 - apparmor causes kernel lockup if there is any audit backlog + - remove netstat profile as it will trigger this bug easily +- Bug 221111 - ntpd needs access to /proc/net/if_inet6 * Mon Nov 13 2006 - srarnold@suse.de - Bug 219583 - rejecting w access for syslog-ng add /var/lib/*/dev/log access for chroot'd applications ++++++ apparmor-profiles-2.0.1-233.tar.gz -> apparmor-profiles-2.0.1-240.tar.gz ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-profiles-2.0.1/common/Make-po.rules new/apparmor-profiles-2.0.1/common/Make-po.rules --- old/apparmor-profiles-2.0.1/common/Make-po.rules 2006-11-04 22:34:47.000000000 +0100 +++ new/apparmor-profiles-2.0.1/common/Make-po.rules 2006-11-15 10:22:15.000000000 +0100 @@ -1,4 +1,4 @@ -# $Id: Make-po.rules 199 2006-11-04 21:34:47Z steve-beattie $ +# $Id: Make-po.rules 238 2006-11-15 09:22:15Z steve-beattie $ # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE @@ -20,7 +20,8 @@ # pass in the list of sources in the SOURCES variable PARENT_SOURCES=$(foreach source, ${SOURCES}, ../${source}) -TARGET_MOS=$(foreach lang, ${LANGS}, ${lang}.mo) +LANGS=$(patsubst %.po, %, $(wildcard *.po)) +TARGET_MOS=$(foreach lang, $(filter-out $(DISABLED_LANGS),$(LANGS)), ${lang}.mo) .PHONY: all all: ${TARGET_MOS} diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-profiles-2.0.1/enabled/bin.netstat new/apparmor-profiles-2.0.1/enabled/bin.netstat --- old/apparmor-profiles-2.0.1/enabled/bin.netstat 2006-08-04 21:13:59.000000000 +0200 +++ new/apparmor-profiles-2.0.1/enabled/bin.netstat 1970-01-01 01:00:00.000000000 +0100 @@ -1,33 +0,0 @@ -# $Id: bin.netstat 90 2006-08-04 19:13:59Z seth_arnold $ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2002-2005 Novell/SUSE -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# evolution, amongst other things, calls this program. I didn't want to -# give evolution access to significant chunks of /proc -# - -#include <tunables/global> - -/bin/netstat { - #include <abstractions/base> - #include <abstractions/consoles> - #include <abstractions/nameservice> - - capability dac_override, - capability dac_read_search, - - /bin/netstat rmix, - /etc/networks r, - /proc r, - /proc/[0-9]*/cmdline r, - /proc/[0-9]*/fd r, - /proc/net r, - /proc/net/* r, -} diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-profiles-2.0.1/enabled/usr.sbin.ntpd new/apparmor-profiles-2.0.1/enabled/usr.sbin.ntpd --- old/apparmor-profiles-2.0.1/enabled/usr.sbin.ntpd 2006-11-14 12:17:22.000000000 +0100 +++ new/apparmor-profiles-2.0.1/enabled/usr.sbin.ntpd 2006-11-16 13:16:10.000000000 +0100 @@ -1,6 +1,6 @@ # vim:syntax=apparmor # Last Modified: Sun Jan 22 00:11:27 2006 -# $Id: usr.sbin.ntpd 233 2006-11-14 11:17:22Z seth_arnold $ +# $Id: usr.sbin.ntpd 240 2006-11-16 12:16:10Z seth_arnold $ # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE @@ -33,6 +33,7 @@ /etc/ntp/keys r, /etc/ntp/step-tickers r, /tmp/ntp* rwl, + /proc/net/if_inet6 r, /usr/sbin/ntpd rmix, /var/lib/ntp/etc/ntp.conf.iburst r, /var/lib/ntp/drift rwl, diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-profiles-2.0.1/extras/bin.netstat new/apparmor-profiles-2.0.1/extras/bin.netstat --- old/apparmor-profiles-2.0.1/extras/bin.netstat 1970-01-01 01:00:00.000000000 +0100 +++ new/apparmor-profiles-2.0.1/extras/bin.netstat 2006-11-16 13:00:00.000000000 +0100 @@ -0,0 +1,33 @@ +# $Id: bin.netstat 239 2006-11-16 12:00:00Z seth_arnold $ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# evolution, amongst other things, calls this program. I didn't want to +# give evolution access to significant chunks of /proc +# + +#include <tunables/global> + +/bin/netstat { + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + + capability dac_override, + capability dac_read_search, + + /bin/netstat rmix, + /etc/networks r, + /proc r, + /proc/[0-9]*/cmdline r, + /proc/[0-9]*/fd r, + /proc/net r, + /proc/net/* r, +} ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org