# $Id: apparmor-parser.spec.in 6358 2006-04-01 09:06:53Z dominic $ # # ---------------------------------------------------------------------- # Copyright (c) 2004, 2005, 2006 NOVELL (All rights reserved) # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, contact Novell, Inc. # ---------------------------------------------------------------------- # norootforbuild # Check first to see if distro is already defined. %if ! %{?distro:1}0 %define distro suse %endif Summary: AppArmor userlevel parser utility. Name: apparmor-parser Version: @@immunix_version@@ Release: @@repo_version@@ Group: Applications/System Source0: %{name}-%{version}-@@repo_version@@.tar.gz License: GPL BuildRoot: %{?_tmppath:}%{!?_tmppath:/var/tmp}/%{name}-%{version}-build Url: http://forge.novell.com/modules/xfmod/project/?apparmor Prereq: sed %if %{distro} == "suse" Prereq: %{insserv_prereq} aaa_base %endif %if %{distro} == "rhel4" Prereq: apparmor-master %endif %if %{suse_version}%{!?suse_version:1} > 1000 BuildRequires: libcap-devel %else BuildRequires: libcap %endif Obsoletes: subdomain_parser subdomain-parser Obsoletes: subdomain-parser-demo subdomain-parser-common subdomain-leaf-cert Obsoletes: libimnxcert Provides: subdomain_parser subdomain-parser Provides: subdomain-parser-demo subdomain-parser-common subdomain-leaf-cert Provides: libimnxcert %define apparmor_bin_prefix /lib/apparmor %description AppArmor Parser is a userlevel program that is used to load in program profiles to the AppArmor Security kernel module. This package is part of a suite of tools that used to be named SubDomain. %prep %setup -q %build make clean all CFLAGS="${RPM_OPT_FLAGS}" %install make install DESTDIR=${RPM_BUILD_ROOT} \ DISTRO=%{distro} \ APPARMOR_BIN_PREFIX=${RPM_BUILD_ROOT}%{apparmor_bin_prefix} %clean [ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %doc README COPYING.GPL /sbin/apparmor_parser %dir %attr(-, root, root) /etc/apparmor %if %{distro} == "suse" /sbin/rcsubdomain /sbin/rcapparmor /etc/init.d/boot.apparmor /sbin/rcaaeventd /etc/init.d/aaeventd %else /etc/init.d/apparmor /etc/init.d/aaeventd %endif %config(noreplace) /etc/apparmor/subdomain.conf /var/lib/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %{_prefix}/share/locale/*/*/apparmor-parser.mo %pre %if %{distro} == "redhat" || %{distro} == "rhel4" if [ -f /etc/init.d/subdomain ] ; then chkconfig --del subdomain fi %endif %post %if %{distro} == "suse" # SUSE uses insserv # For package renaming from subdomain -> apparmor # we check the existence of the AppArmor 1.1 and # AppArmor 1.2 based init script to help determine # whether we are upgrading SUBDOMAIN_PARSER_INSTALLED="no" if test -e /etc/init.d/boot.subdomain -o -e /etc/init.d/subdomain; then SUBDOMAIN_PARSER_INSTALLED="yes" fi if test "$1" == 1 -a $SUBDOMAIN_PARSER_INSTALLED = "no"; then %{insserv_force_if_yast boot.apparmor} elif test -e /etc/rc.d/boot.d/S??boot.subdomain -o \ -e /etc/rc.d/boot.d/S??boot.apparmor -o \ -e /etc/rc.d/rc3.d/S??subdomain ; then %{insserv_force_if_yast boot.apparmor} else %{fillup_and_insserv -f boot.apparmor} fi %endif %if %{distro} == "redhat" || %{distro} == "rhel4" chkconfig --add apparmor %endif %if %{distro} == "slackware" if grep -qs "# BEGIN rc.subdomain INSERTION" /etc/rc.d/rc.M ; then true ; else %{apparmor_bin_prefix}/install/frob_slack_rc --init fi if grep -qs "# BEGIN rc.subdomain INSERTION" /etc/rc.d/rc.K ; then true ; else %{apparmor_bin_prefix}/install/frob_slack_rc --shutdown fi %endif if [ %{?suse_version}%{!?suse_version:1} -le 1000 ] ; then SFS_MOUNTPOINT=$(grep subdomainfs /etc/fstab | \ sed -e 's|^[[:space:]]*[^[:space:]]+[[:space:]]\+\(/[^[:space:]]*\)[[:space:]]\+subdomainfs.*$|\1|' 2> /dev/null) if [ "X" == "X${SFS_MOUNTPOINT}" ]; then echo "subdomain /subdomain subdomainfs noauto 0 0" >> /etc/fstab fi fi %preun if [ "$1" = 0 ] ; then %if %{distro} == "suse" /sbin/insserv -r boot.apparmor %endif %if %{distro} == "redhat" || %{distro} == "rhel4" chkconfig --del apparmor %endif fi %postun %if %{distro} == "suse" %{insserv_cleanup} %endif %changelog * Sat Oct 28 2006 - olh@suse.de - boot.apparmor should start after boot.localfs (#215156) * Thu Oct 12 2006 - sbeattie@suse.de - get rid of /subdomain (#160020) * Tue Oct 10 2006 - sbeattie@suse.de - add support for #include'ing directories - updated i18n messages/other fixes * Fri Jul 28 2006 - olh@suse.de - make boot.localfs optional in boot.apparmor (#181972) * Mon Jun 05 2006 - sbeattie@suse.de - Add support for 'm' flag (mmap w/PROT_EXEC permission) (#175388) - Add Px and Ux flags to indicate to ld.so that sensitive environemnt variables should be filtered on exec() (#172061) The m, Px, and Ux flags are added in such a way that apparmor modules without corresponding support will just ignore them. - Fix segv if profiles directory does not exist (#160330) - Fix aaeventd initscript description (#172961) - Add check to verify module supports pcre - Add regression tests and run on every build - Other minor fixups * Fri May 26 2006 - schwab@suse.de - Don't strip binaries. * Thu Apr 27 2006 Steve beattie - Fix segv if profile dirs don't exist (#160330) * Tue Apr 11 2006 Steve Beattie - Move svn tree to novell forge; fixup build for new layout * Sat Apr 1 2006 Dominic Reynolds 2.0-7.5 - Fix upgrade problems (#156990) * Wed Mar 15 2006 Steve Beattie 2.0-7.4 - Obsoleted libimnxcert (#157450) * Fri Feb 10 2006 Steve Beattie 2.0-7.3 - Filter multiple slashes and trailing slashes in pathnames - Use RPM_OPT_FLAGS - A few s/SubDomain/AppArmor/ fixups in error messages * Sun Feb 5 2006 Steve Beattie 2.0-7 - Fix one last issue in initscript handling of whitespace (#141288) - Add libcap-devel dependency for newer SUSE distros - Fix shutting down aa-eventd - Add option to enable/disable aa-eventd - Disable owlsm warning if module doesn't support it * Fri Jan 27 2006 Steve Beattie 2.0-6 - s/none/securityfs/ in the initscript - add support for if {} else if {} - rename initscript to rc.apparmor - support /etc/apparmor.d - add buildrequires on libcap-devel * Wed Jan 25 2006 Dominic Reynolds 2.0-5.1 - Updated rc.subdomain.functions to reference newly named event daemon aa-eventd * Sun Jan 22 2006 Steve Beattie 2.0-5 - convert to fillupand_insserv macro, reenable apparmor by default - add prereq on aaa_base - remove initscript dependency on boot.ldconfig - Don't edit fstab on newer suse releases - Add build dependency on libcap-devel * Tue Jan 10 2006 Steve Beattie 2.0-4 - Add support for giving a filename on the parser command line - Some refactoring of code in prep for variable support. - Add svn repo to tarball - Rename service provided by initscript to apparmor - Initial set variable support - Restructure global policy list - Fix leaks found by valgrind - Restructure hats within profiles, detect duplicate hats - Add basic conditional statement support - Fix debug mode to not attempt to load policy - Fix initscript to handle profiles with spaces in their name #141288 * Wed Dec 14 2005 Steve Beattie 2.0-3 - Remove old-style change_hat definition support * Thu Dec 8 2005 Steve Beattie 2.0-2 - Fix references to old package name in .po files * Wed Dec 7 2005 Steve Beattie 2.0-1 - Reset version for inclusion in SUSE autobuild. * Wed Dec 7 2005 Steve Beattie 1.99-42 - Fix initscript to work with securityfs * Wed Nov 30 2005 Steve Beattie 1.99-41 - Rename package to apparmor-parser * Wed Nov 30 2005 Steve Beattie 1.99-40_imnx - Strip AALite. * Wed Nov 30 2005 Steve Beattie 1.99-39_imnx - Convert license to GPL * Tue Nov 29 2005 Steve Beattie 1.99-38_imnx - Make initscript use subdomain_status if available - Fixed up one last #include return code case - Stricter lexing on flags and hatnames - Fix -I to be additive, rather than reset include paths - Switch to lookup table for keywords in lexer - Remove deprecated code and interfaces - Fixup alignment warnings on ia64 - bzero pcre structure before compiling regex fix - kill parser_sysctl.c, merged into parser_interface.c - Add some additional compiler warnings, if available - Clean up getopt_long handling - Add support for securityfs, --subdomainfs option * Thu Nov 3 2005 Steve Beattie 1.99-37_imnx - Fix up small signed/unsigned issue. * Mon Oct 31 2005 Steve Beattie 1.99-36_imnx - Fix for potential pcre problem: CAN-2005-2491 #106209 * Thu Oct 27 2005 Steve Beattie 1.99-35_imnx - Fixed include handling to return an error code #129291 * Wed Oct 26 2005 Steve Beattie 1.99-34_imnx - Merge fixes over from shass-1.2 branch: - make sd-event-dispatch.pl be under rcsubdomain control. - add reload, force-reload, and try-restart options to initscript - jj's fix for include handling * Wed Oct 19 2005 Steve Beattie 1.99-33_imnx - Fix up dumb termination error on getopt_long arg. * Tue Sep 6 2005 Seth Arnold 1.99-32_imnx - move the abstractions/ and program-chunks/ to the profiles package * Fri Sep 2 2005 Steve Beattie - don't link full version against libimnxcert * Thu Sep 1 2005 Steve Beattie 1.99-26_imnx - Accept dos style line-endings. * Mon Aug 29 2005 Steve Beattie 1.99-25_imnx - Move subdomain to boot.subdomain to ensure earlier startup * Mon Aug 29 2005 Steve Beattie 1.99-24_imnx - add 'status' to initscript usage statement * Fri Aug 26 2005 Steve Beattie 1.99-23_imnx - Added common dependency on the subdomain-profiles package. * Wed Aug 24 2005 Steve Beattie 1.99-22_imnx - more merge from 1.2: - cleanup last of intl code changes - actually install rootcert.pem - Makefile cleanup * Wed Aug 24 2005 Steve Beattie 1.99-21_imnx - Merge from 1.2: - Allow debugging of profiles as non-root. - Other locale cleanup. - use %{_prefix} - Use PERROR in more locations. - Use a common po/Make.rules - Add beginnings of i18n support to the parser. * Tue Aug 23 2005 Steve Beattie 1.99-20_imnx - Fixup the rest of the libexec locations - Merge fixup from dreynolds: - Changed the bin_exec path to /usr/lib/subdomain from /usr/libexec/subdomain * Tue Aug 23 2005 Steve Beattie 1.99-19_imnx - switch to alternatives based selection between full and demo version * Wed Aug 10 2005 Steve Beattie 1.99-18_imnx - strip installed binaries * Tue Aug 9 2005 Steve Beattie 1.99-17_imnx - Fixup some message handling in the initscripts - Make demo package depend on meta-package subdomain-cert - keep buildcache quiet when reading from a pipe * Mon Aug 8 2005 Tony Jones 1.99-16_imnx - Fix for bug#3105 aalite parser occasionally segfaults (free/zero cached cert) - Free certtree/cachelist (cache) when parser quits * Fri Jul 22 2005 Steve Beattie 1.99-16_imnx - Split out parser-demo and parser-common packages * Tue Jul 12 2005 Steve Beattie 1.99-15_imnx - First cut at /etc/init.d/subdomain status * Mon Jul 11 2005 Steve Beattie 1.99-14_imnx - Better error messages on stop when non-root. * Mon Jul 11 2005 Steve Beattie 1.99-13_imnx - More liberal parsing of /etc/fstab * Wed Jul 6 2005 Steve Beattie 1.99-12_imnx - Fixes from tonyj: - allow parser to bypass the cache - change buildcache to pass strict option to libimnxcert * Thu Jun 23 2005 Steve Beattie 1.99-11_imnx - Add trigger for upgrading from subdomain_parser to subdomain-parser * Wed Jun 22 2005 Steve Beattie 1.99-10_imnx - Add /etc/apparmor/certs/ * Thu Jun 16 2005 Steve Beattie 1.99-9_imnx - Merge in the certificate handling code. - Merge in buildcache. * Fri May 20 2005 Steve Beattie 1.99-8_imnx - /etc/immunix -> /etc/apparmor * Mon Mar 29 2005 Steve Beattie 1.99-7_imnx - Don't statically link the parser. * Fri Mar 11 2005 Steve Beattie 1.99-6_imnx - Rename package to make it more consistent with the other packages. * Tue Mar 8 2005 Steve Beattie 1.99-5_imnx - Mark subdomain.conf as a config file. Sigh. - Move subdomain.conf to /etc/immunix, and fix initscripts to deal. * Sun Feb 20 2005 Seth Arnold 1.99-4_imnx - internal cleanups * Fri Feb 11 2005 Steve Beattie 1.99-3_imnx - Duh, reconfigure owlsm on restart as well, plus include updates * Mon Feb 7 2005 Steve Beattie 1.99-2_imnx - Add ability to configure owlsm in /etc/subdomain.conf * Fri Feb 4 2005 Seth Arnold 1.99-1_imnx - Reversion to 1.99 * Tue Jan 11 2005 Seth Arnold 1.2-16_imnx - Add some 64-bit paths to profiles * Wed Nov 17 2004 Steve Beattie 1.2-15_imnx - Sigh, rpm 4.0.3 doesn't support nest if's > 2 deep. - Fixups so package builds on RHEL3 - eliminate dupe abstraction/chunks. * Mon Nov 15 2004 Seth Arnold 1.2-14_imnx - remove generic inherit executable support in apache's DEFAULT_URI * Fri Nov 12 2004 Steve Beattie 1.2-13_imnx - Fix to rc.subdomain.functions (bug #2776) * Fri Nov 12 2004 Seth Arnold 1.2-12_imnx - gratuitious version bump to add changelog entry to apologize for the missing changelog entry two days earlier -- postfix profile fixes * Thu Nov 10 2004 Steve Beattie 1.2-11_imnx - Use make install to install the abstractions and chunks. * Wed Nov 10 2004 Steve Beattie 1.2-10_imnx - Refactored the initscripts * Tue Nov 9 2004 Steve Beattie 1.2-9_imnx - More slack stuff. * Sun Nov 7 2004 Steve Beattie 1.2-8_imnx - Initial infrastructure support for slack. * Fri Nov 5 2004 Seth Arnold 1.2-7_imnx - procmail and postfix additions * Fri Oct 29 2004 Seth Arnold 1.2-6_imnx - postfix proxymap * Tue Oct 26 2004 Seth Arnold 1.2-5_imnx - typo fix in initscrpit * Tue Oct 26 2004 Seth Arnold 1.2-3_imnx - new netdomain rules for squid, open all outgoing for ftp, add another specific rule for another web port. * Tue Oct 19 2004 Seth Arnold 1.2-3_imnx - setgid,setuid ngroups_max for postfix-bounce, private/bounce for qmgr * Wed Oct 13 2004 Seth Arnold 1.2-2_imnx - remove program-chunks/apache-subprofiles * Tue Oct 12 2004 Steve Beattie 1.2-1_imnx - Bump rev after shass-1.1 branch * Tue Oct 5 2004 Seth Arnold 1.0-47_imnx - restructure directories * Tue Sep 28 2004 John Johansen 1.0-46_imnx - fix incompatability between new hats and old interface * Mon Sep 27 2004 John Johansen 1.0-45_imnx - add quoted rules * Wed Sep 22 2004 John Johansen 1.0-44_imnx - fix buffer resizing bug - reduce amount of redundancy in passed data - split pcre regex, tail globs, and basic file rules to enable future kernel optimization * Fri Sep 17 2004 John Johansen 1.0-43_imnx - add back in the ioctl interface for conditional compiles against the F5 branch * Wed Sep 15 2004 John Johansen 1.0-42_imnx - remove the 2.6 ioctl module interface * Wed Sep 1 2004 John Johansen 1.0-41_imnx - Add the ability to nest hats inside a profile * Mon Aug 30 2004 Steve Beattie 1.0-40_imnx - Clean up copyright statements. * Mon Aug 23 2004 Steve Beattie 1.0-33_imnx - Fixed License: tag, stopped including obsolete license. * Fri Jul 23 2004 Steve Beattie 1.0-26_imnx - Small fix to portable API interface. * Wed Jul 21 2004 Steve Beattie 1.0-25_imnx - resurrect Red Hat style initscript * Wed Jul 21 2004 Steve Beattie 1.0-23_imnx - use distro specific init scripts * Wed Jul 21 2004 Steve Beattie 1.0-22.16_imnx - first attempt to make rpm portable to both SuSE and Red Hat * Tue Jul 20 2004 Steve Beattie 1.0-22.15_imnx - Merge in JJ's 64-bit clean interface * Wed Jun 23 2004 Seth Arnold 1.0-22.13_imnx - apache manual * Tue Jun 22 2004 Seth Arnold 1.0-22.12_imnx - modified user-custom/squid * Sat Jun 12 2004 John Johansen 1.0-22.7_imnx - fix segfault in parser - change rc.subdomain restart to compare loaded profiles to profiles in /etc/subdomain.d and remove the profiles that are loaded that are not in /etc/subdomain.d * Fri Jun 11 2004 John Johansen 1.0-22.7_imnx - update parser to get subdomain filesystem mnt point from /etc/fstab - add build-panic option to init script * Fri Jun 11 2004 John Johansen 1.0-22.6_imnx - move subdomain fs from /dev/subdomain to /subdomain * Thu Jun 10 2004 David Drewelow 1.0-22.4_imnx - Changed dependency from subdomain-module to subdomain-master * Fri May 7 2004 John Johansen 1.0-22.3_imnx - -C flag to force individual profiles to have into complain mode - turn off warning about having a bare x - profile abstraction updates