openSUSE-RU-2014:0182-1: important: apparmor: Several fixes

openSUSE Recommended Update: apparmor: Several fixes ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:0182-1 Rating: important References: #850374 #851131 #851984 #852018 #853019 #856651 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update fixes the following issues with apparmor: - NOTE: Please consider a reboot after installing the update to resolve bnc#853019 - bnc#853019: %restart_on_update (in parser %postun) is "translated" to stop/start by the systemd wrapper, which removes AppArmor protection from running processes. Fixed by using a custom script instead + NOTE: The %postun from the previously installed apparmor-parser package will remove AppArmor protection from running processes a last time. Run aa-status to get a list of processes you need to restart, or reboot your computer. - reload profiles in %post of the apparmor-profiles package - bnc#851984: + update dovecot profiles to support dovecot 2.x, and add profiles for the parts of dovecot that were not covered yet. + do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary + add abstractions/mysql + allow execution of some more /usr/lib/dovecot/* binaries + better restrict access to /var/spool/postfix/private/ + NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs. - allow to read mysql config files - add abstractions/nameservice instead of allowing more and more files - bnc#856651: allow samba to mkdir /var/run/samba and /var/cache/samba - add abstractions/samba to usr.sbin.winbindd profile - bnc#851131: add capabilities ipc_lock and setuid to usr.sbin.winbindd profile - add Recommends: net-tools to apparmor-utils (needed by aa-unconfined) - allow dnsmasq read config created by recent NetworkManager - bnc#852018: allow access to certificates in /var/lib/ca-certificates/ - bnc#850374: updated driftfile location for ntpd - allow acces to pid file and supplemental config directory Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-97 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): apache2-mod_apparmor-2.8.2-4.13.1 apache2-mod_apparmor-debuginfo-2.8.2-4.13.1 apparmor-debugsource-2.8.2-4.13.1 apparmor-parser-2.8.2-4.13.1 apparmor-parser-debuginfo-2.8.2-4.13.1 libapparmor-devel-2.8.2-4.13.1 libapparmor1-2.8.2-4.13.1 libapparmor1-debuginfo-2.8.2-4.13.1 pam_apparmor-2.8.2-4.13.1 pam_apparmor-debuginfo-2.8.2-4.13.1 perl-apparmor-2.8.2-4.13.1 perl-apparmor-debuginfo-2.8.2-4.13.1 python3-apparmor-2.8.2-4.13.1 python3-apparmor-debuginfo-2.8.2-4.13.1 ruby-apparmor-2.8.2-4.13.1 ruby-apparmor-debuginfo-2.8.2-4.13.1 - openSUSE 13.1 (x86_64): libapparmor1-32bit-2.8.2-4.13.1 libapparmor1-debuginfo-32bit-2.8.2-4.13.1 pam_apparmor-32bit-2.8.2-4.13.1 pam_apparmor-debuginfo-32bit-2.8.2-4.13.1 - openSUSE 13.1 (noarch): apparmor-docs-2.8.2-4.13.1 apparmor-parser-lang-2.8.2-4.13.1 apparmor-profiles-2.8.2-4.13.1 apparmor-utils-2.8.2-4.13.1 apparmor-utils-lang-2.8.2-4.13.1 References: https://bugzilla.novell.com/850374 https://bugzilla.novell.com/851131 https://bugzilla.novell.com/851984 https://bugzilla.novell.com/852018 https://bugzilla.novell.com/853019 https://bugzilla.novell.com/856651
participants (1)
-
maintenance@opensuse.org