[apparmor] Fwd: AppArmor 2.7-beta1

Christian Boltz opensuse at cboltz.de
Sun Aug 21 17:05:30 UTC 2011 

Hello,

AppArmor 2.7 beta1 has been released and contains various bugfixes, for 
example a working ;-) aa-notify and systemd support.
(See release announcement at the end of this mail and 
http://wiki.apparmor.net/index.php/ReleaseNotes_2_7 for details)

    Jeff, can you please update the package in Factory?


As you know, I commited many patches upstream. The following patches are 
in 2.7 beta1 and can be removed from the openSUSE package:

apparmor-2.5.1-ntpd-sys_nice
apparmor-2.5.1-ssl-fix
apparmor-2.6.0-dhcpd
apparmor-compat-routines
apparmor-profiles-cupsd-fix
apparmor-profiles-dhclient
apparmor-profiles-sshd-fix (enhanced version with additional fixes)
apparmor-profiles-syslog-ng-fix
apparmor-profiles-usr.sbin.dnsmasq
apparmor-scripts
apparmor-securityfs-systemd.patch
apparmor-startproc.patch
apparmor-utils-add-log-types
apparmor-utils-filenames-in-slash
genprof-whitespace-in-profile-fix
klog-needs-CAP_SYSLOG

apparmor-remove-repo was implemented upstream in a different way and can 
most probably be removed.

Some of your patches that were "hidden" in the 11.4:Update package (but 
not in the Factory package) did not make it into 2.7 beta1:
- apparmor-profiles-dovecot (updated version that applies cleanly is 
  attached, but the new link permissions are still discussed upstream)
- apparmor-profiles-samba (updated version attached, with an additional
  fix for bnc#679182#c8)
- apparmor-profiles-traceroute (still applies)
Please include these patches in the Factory package.

apparmor-2.5.1-ldapclient-profile and apparmor-2.5.1-edirectory-profile 
are waiting for an answer from you on the AppArmor mailinglist 
(see Steve's mail from 2011-08-08, "openSUSE profile patches - part 1").

The apparmor-utils-string-split patch wasn't liked too much because it 
would hardcode the line length into the translations. Kees thinks that 
the wrapping should be done by the code displaying the message. (Feel 
free to discuss this on the AppArmor mailinglist.)

Some patches are intentionally not upstreamed.
For example, apparmor-utils-subdomain-compat should stay openSUSE-only 
and be removed when it's no longer needed for YaST.

I have also attached "osc-diff" that adds some notes to the remaining 
patches. It should apply to security:apparmor:factory without problems.

That all said, here's the upstream release announcement:

----------  Weitergeleitete Nachricht  ----------

Betreff: [apparmor] AppArmor 2.7-beta1
Datum: Samstag, 20. August 2011 02:25
Von: John Johansen <john.johansen at canonical.com>
An: apparmor <apparmor at lists.ubuntu.com>

The AppArmor development team is pleased to announce the 2.7-beta1
of the AppArmor user space components. This release is an incremental
improvement over the AppArmor 2.6.2 release, focusing on fixing bugs
in the userspace code.

The release is available from

  http://launchpad.net/apparmor/2.7/2.7.beta1/+download/apparmor-2.7.0~beta1.tar.gz

or

  http://kernel.org/pub/linux/security/apparmor/AppArmor-2.7/apparmor-2.7.0~beta1.tar.gz

and has the following md5sum

  1f543d99868d640b1c4574ee33493087

A detached gnupg signature is available at

  http://launchpad.net/apparmor/2.7/2.7.beta1/+download/apparmor-2.7.0~beta1.tar.gz.asc

which should indicate it was signed with the john johansen's signing key
having the fingerprint

D926 7844 5CD9 BFA5 6C74 EC8E C405 7122 C10A 23E6

The release notes for the 2.7-beta1 release are available at

  http://wiki.apparmor.net/index.php/ReleaseNotes_2_7

Please report any bugs you may find via the Launchpad AppArmor project
on Launchpad at https://launchpad.net/apparmor/ .

Thanks!

-- John Johansen <john.johansen at canonical.com>

-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------------------------------------------------


Regards,

Christian Boltz
-- 
Zu meiner Entschuldigung: Ich konnte es nicht nochmal durchlesen,
weil meine Kippenschachtel  leer war und ich also schnell das Haus
verlassen musste. Das neue Jahr - keine 11 Tage alt und die (guten)
Vorsätze schon alle über Bord....      [Rüdiger Meier in suse-linux]
-------------- next part --------------
Dovecot profile update:
- allow /var/spool/mail, not only the /var/mail symlink
- allow @{HOME}/Mail/
- allow capability fsetid, read access to /etc/lsb-release and 
  SuSE-release and k for /var/{lib,run}/dovecot in usr.bin.dovecot

References:
- dovecot: Added support for /var/spool/mail (bnc#691072)
- Updated dovecot profile (bnc#681267).

Patch taken from openSUSE:11.4:Update:Test, file apparmor-profiles-dovecot
updated to match trunk by Christian Boltz <apparmor at cboltz.de>


=== modified file 'profiles/apparmor.d/usr.lib.dovecot.deliver'
--- profiles/apparmor.d/usr.lib.dovecot.deliver	2010-08-05 19:00:02 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.deliver	2011-08-19 10:38:48 +0000
@@ -17,6 +17,7 @@
   @{HOME}/mail/.imap/** klrw,
   /usr/lib/dovecot/deliver mr,
   /var/mail/* klrw,
+  /var/spool/mail/* klrw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.deliver>

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap	2010-08-05 19:00:02 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap	2011-08-19 10:39:44 +0000
@@ -11,11 +11,15 @@
   @{HOME} r,
   @{HOME}/Maildir/ rw,
   @{HOME}/Maildir/** klrw,
+  @{HOME}/Mail/ rw,
+  @{HOME}/Mail/* klrw,
+  @{HOME}/Mail/.imap/** klrw,
   @{HOME}/mail/ rw,
   @{HOME}/mail/* klrw,
   @{HOME}/mail/.imap/** klrw,
   /usr/lib/dovecot/imap mr,
   /var/mail/* klrw,
+  /var/spool/mail/* klrw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.imap>

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3'
--- profiles/apparmor.d/usr.lib.dovecot.pop3	2010-08-05 19:00:02 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.pop3	2011-08-19 10:37:59 +0000
@@ -9,6 +9,7 @@
   capability setuid,
 
   /var/mail/* klrw,
+  /var/spool/mail/* klrw,
   @{HOME} r,
   @{HOME}/mail/* klrw,
   @{HOME}/mail/.imap/** klrw,

=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
--- profiles/apparmor.d/usr.sbin.dovecot	2011-07-14 12:57:57 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot	2011-08-19 10:44:14 +0000
@@ -13,9 +13,12 @@
   capability setgid,
   capability setuid,
   capability sys_chroot,
+  capability fsetid,
 
   /etc/dovecot/** r,
   /etc/mtab r,
+  /etc/lsb-release r,
+  /etc/SuSE-release r,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,
@@ -26,10 +29,10 @@
   /usr/lib/dovecot/managesieve-login Pxmr,
   /usr/lib/dovecot/ssl-build-param ixr,
   /usr/sbin/dovecot mr,
-  /var/lib/dovecot/ w,
-  /var/lib/dovecot/* krw,
-  /{,var/}run/dovecot/ rw,
-  /{,var/}run/dovecot/** rw,
+  /var/lib/dovecot/ wl,
+  /var/lib/dovecot/* krwl,
+  /{,var/}run/dovecot/ rwl,
+  /{,var/}run/dovecot/** rwl,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.dovecot>

-------------- next part --------------
An embedded message was scrubbed...
From: Jeff Mahoney <jeffm at suse.com>
Subject: apparmor-profiles: Add samba config files
Date: no date
Size: 2110
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110821/35db5420/attachment-0001.mht>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: osc-diff
Type: text/x-patch
Size: 1449 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110821/35db5420/attachment-0001.bin>

More information about the AppArmor mailing list