Hello community,
here is the log from the commit of package apparmor for openSUSE:Factory
checked in at Thu Feb 3 22:31:10 CET 2011.
--------
--- apparmor/apparmor.changes 2011-01-24 20:16:37.000000000 +0100
+++ apparmor/apparmor.changes 2011-01-25 23:26:29.000000000 +0100
@@ -1,0 +2,15 @@
+Tue Jan 25 23:25:28 CET 2011 - jeffm@suse.de
+
+- Updated dhclient profile and added dhclient-script profile (bnc#561152).
+
+-------------------------------------------------------------------
+Tue Jan 25 18:11:00 CET 2011 - jeffm@suse.de
+
+- Added ability to completely disable repositories.
+
+-------------------------------------------------------------------
+Mon Jan 24 21:27:45 CET 2011 - jeffm@suse.de
+
+- Properly indent sub-profiles after genprof completion (bnc#480795).
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
New:
----
apparmor-profiles-dhclient
apparmor-remove-repo
genprof-whitespace-in-profile-fix
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apparmor.spec ++++++
--- /var/tmp/diff_new_pack.NNtH4j/_old 2011-02-03 22:29:59.000000000 +0100
+++ /var/tmp/diff_new_pack.NNtH4j/_new 2011-02-03 22:29:59.000000000 +0100
@@ -49,7 +49,7 @@
%endif
Summary: AppArmor userlevel parser utility
Version: %{srcversion}.%{bzr_commit}
-Release: 1
+Release: 2
Group: Productivity/Networking/Security
Source0: apparmor-%{srcversion}.tar.bz2
Source1: %{name}-profile-editor.png
@@ -86,13 +86,14 @@
Patch28: apparmor-2.5.1-unconfined-fixes
Patch29: apparmor-utils-inherit-flags-during-profile-generation
Patch30: apparmor-2.5.1-ldapclient-profile
-#Patch31:
-#Patch32:
+Patch31: genprof-whitespace-in-profile-fix
+Patch32: apparmor-remove-repo
Patch33: apparmor-2.5.1-ntpd-sys_nice
Patch34: apparmor-2.5.1-ssl-fix
Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix
Patch36: klog-needs-CAP_SYSLOG
Patch37: apparmor-2.5.1-network-fixes
+Patch38: apparmor-profiles-dhclient
License: GPLv2+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: https://launchpad.net/apparmor
@@ -493,11 +494,14 @@
%patch28 -p1
%patch29 -p1
%patch30 -p1
+%patch31 -p1
+%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
+%patch38 -p1
%build
export SUSE_ASNEEDED=0
++++++ apparmor-profiles-dhclient ++++++
From: Jeff Mahoney
Subject: profiles: update dhclient
References: bnc#561152
Signed-off-by: Jeff Mahoney
---
profiles/apparmor/profiles/extras/sbin.dhclient | 60 +++++++++++------
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
2 files changed, 60 insertions(+), 21 deletions(-)
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -12,12 +12,12 @@
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
-# /bin/ps mixr,
-# /sbin/arp rmix,
-# /usr/bin/dig rmix,
-# /usr/bin/uptime rmix,
-# /usr/bin/vmstat rmix,
-# /usr/bin/w rmix,
+# /bin/ps mrix,
+# /sbin/arp mrix,
+# /usr/bin/dig mrix,
+# /usr/bin/uptime mrix,
+# /usr/bin/vmstat mrix,
+# /usr/bin/w mrix,
#include
@@ -25,25 +25,29 @@
#include
#include
#include
- /sbin/dhclient rmix,
- /sbin/dhclient-script rmix,
- /bin/bash rmix,
- /bin/df rmix,
+
+ network packet packet,
+
+ /sbin/dhclient mrix,
+
+ /sbin/dhclient-script mrix,
+ /bin/bash mrix,
+ /bin/df mrix,
/bin/netstat Px,
- /bin/ps mixr,
+ /bin/ps mrix,
/dev/random r,
/etc/dhclient.conf r,
- @{PROC}/ r,
- @{PROC}/interrupts r,
- @{PROC}/net/dev r,
- @{PROC}/rtc r,
+ @{PROC}/ r,
+ @{PROC}/interrupts r,
+ @{PROC}/*/net/dev r,
+ @{PROC}/rtc r,
# following rule shouldn't work, self is a symlink
- @{PROC}/self/status r,
- /sbin/arp rmix,
- /usr/bin/dig rmix,
- /usr/bin/uptime rmix,
- /usr/bin/vmstat rmix,
- /usr/bin/w rmix,
+ @{PROC}/self/status r,
+ /sbin/arp mrix,
+ /usr/bin/dig mrix,
+ /usr/bin/uptime mrix,
+ /usr/bin/vmstat mrix,
+ /usr/bin/w mrix,
/var/lib/dhcp/dhclient.leases rw,
/var/lib/dhcp/dhclient-*.leases rw,
/var/log/lastlog r,
@@ -53,4 +57,18 @@
/var/run/dhclient-*.pid rw,
/var/spool r,
/var/spool/mail r,
+
+ # This one will need to be fleshed out depending on what the user is doing
+ /sbin/dhclient-script mrpx,
+
+ /bin/grep mrix,
+ /bin/sleep mrix,
+ /etc/sysconfig/network/dhcp r,
+ /etc/sysconfig/network/scripts/functions.common r,
+ /etc/sysconfig/network/scripts/functions r,
+ /sbin/ip mrix,
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
+ /var/lib/dhcp/* rw,
+ /var/run/nm-dhclient-*.conf r,
+
}
--- /dev/null
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
@@ -0,0 +1,21 @@
+# Last Modified: Tue Jan 25 16:48:30 2011
+#include
+
+# dhclient-script will call plugins from /etc/netconfig.d, so this
+# will need to be extended on a per-site basis.
+
+/sbin/dhclient-script {
+ #include
+ #include
+ #include
+
+ /bin/bash rix,
+ /bin/grep rix,
+ /bin/sleep rix,
+ /bin/touch rix,
+ /dev/.sysconfig/network/** r,
+ /etc/netconfig.d/* mrix,
+ /etc/sysconfig/network/** r,
+ /sbin/dhclient-script r,
+ /sbin/ip rix,
+}
++++++ apparmor-remove-repo ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Allow repository to be completely disabled
This patch allows the repository to be completely disabled. It's been
subject to massive bitrot and isn't really maintained.
It will only confuse the user if they are asked for repository information
and it doesn't work.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 5 +++++
utils/logprof.conf | 4 ++++
2 files changed, 9 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -3107,6 +3107,8 @@ sub UI_repo_signup {
sub UI_ask_to_enable_repo {
my $q = { };
+ return if (defined $cfg->{settings}{allow_repository} &&
+ $cfg->{settings}{allow_repository} eq "no");
return if ( not defined $cfg->{repository}{url} );
$q->{headers} = [
gettext("Repository"), $cfg->{repository}{url},
@@ -3231,6 +3233,8 @@ sub get_preferred_user ($) {
sub repo_is_enabled () {
my $enabled;
+ return 0 if defined($cfg->{settings}{allow_repository}) &&
+ $cfg->{settings}{allow_repository} eq "no";
if ($cfg->{repository}{url} &&
$repo_cfg &&
$repo_cfg->{repository}{enabled} &&
@@ -3244,6 +3248,7 @@ sub repo_is_enabled () {
sub update_repo_profile {
my $profile = shift;
+ return undef if not repo_is_enabled();
return undef if ( not is_repo_profile($profile) );
my $distro = $cfg->{repository}{distro};
my $url = $profile->{repo}{url};
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
@@ -35,6 +35,10 @@
# files.
custom_includes =
+ # whether to prompt to enable repositories (values: yes/no)
+ # This feature has fallen to bitrot and should not be used.
+ allow_repository = no
+
[repository]
distro = ubuntu-intrepid
++++++ genprof-whitespace-in-profile-fix ++++++
From: Jeff Mahoney
Subject: apparmor-utils: setprofileflags() drops leading whitespace
References: bnc#480795
setprofileflags() drops leading whitespace for subprofiles. writeheader()
properly indents subprofiles 2 spaces per nesting level but when
genprof sets the profile to enforce mode at completion, the whitespace
is removed.
This patch adds the whitespace globbing to the regexp and uses it to
prefix the sub-profile with the correct spacing.
Reported at: https://bugzilla.novell.com/show_bug.cgi?id=480795
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) {
if (open(PROFILE, "$filename")) {
if (open(NEWPROFILE, ">$filename.new")) {
while (<PROFILE>) {
- if (m/^\s*(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
- my ($binary, $flags) = ($1, $5);
+ if (m/^(\s*)(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
+ my ($space, $binary, $flags) = ($1, $2, $6);
if ($newflags) {
- $_ = "$binary flags=($newflags) {\n";
+ $_ = "$space$binary flags=($newflags) {\n";
} else {
- $_ = "$binary {\n";
+ $_ = "$space$binary {\n";
}
} elsif (m/^(\s*\^\S+)\s+(flags=\(.+\)\s+)*\{\s*$/) {
my ($hat, $flags) = ($1, $2);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org