# ---------------------------------------------------------------------- # Copyright (c) 2004, 2005, 2006 NOVELL (All rights reserved) # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, contact Novell, Inc. # ---------------------------------------------------------------------- # norootforbuild # Check first to see if distro is already defined. # I hate rpm macros %if ! %{?distro:1}0 %if %{?suse_version:1}0 %define distro suse %endif %if %{?fedora_version:1}0 %define distro redhat %endif %endif %if ! %{?distro:1}0 %define distro suse %endif Summary: AppArmor userlevel parser utility. Name: apparmor-parser Version: @@immunix_version@@ Release: @@repo_version@@ Group: Applications/System Source0: %{name}-%{version}-@@repo_version@@.tar.gz License: GPL BuildRoot: %{?_tmppath:}%{!?_tmppath:/var/tmp}/%{name}-%{version}-build Url: http://forge.novell.com/modules/xfmod/project/?apparmor Prereq: sed %if %{distro} == "suse" Prereq: %{insserv_prereq} aaa_base %endif BuildRequires: gcc-c++ Obsoletes: subdomain_parser subdomain-parser Obsoletes: subdomain-parser-demo subdomain-parser-common subdomain-leaf-cert Obsoletes: libimnxcert Provides: subdomain_parser subdomain-parser Provides: subdomain-parser-demo subdomain-parser-common subdomain-leaf-cert Provides: libimnxcert %define apparmor_bin_prefix /lib/apparmor BuildRequires: bison flex latex2html w3m %if 0%{?suse_version} > 1020 BuildRequires: texlive-latex %else BuildRequires: te_latex %endif %package -n apparmor-docs Summary: AppArmor documentation package Group: Applications/System Provides: subdomain-docs Obsoletes: subdomain-docs %description AppArmor Parser is a userlevel program that is used to load in program profiles to the AppArmor Security kernel module. This package is part of a suite of tools that used to be named SubDomain. %description -n apparmor-docs This package contains documentation for AppArmor. %prep %setup -q %build make clean all CFLAGS="${RPM_OPT_FLAGS}" make techdoc.txt %install make install DESTDIR=${RPM_BUILD_ROOT} \ MANDIR=%{_mandir} \ DISTRO=%{distro} \ APPARMOR_BIN_PREFIX=${RPM_BUILD_ROOT}%{apparmor_bin_prefix} %clean [ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %doc README COPYING.GPL /sbin/apparmor_parser %dir %attr(-, root, root) /etc/apparmor %if %{distro} == "suse" /sbin/rcsubdomain /sbin/rcapparmor /etc/init.d/boot.apparmor /sbin/rcaaeventd /etc/init.d/aaeventd %else /etc/init.d/apparmor /etc/init.d/aaeventd %endif %config(noreplace) /etc/apparmor/subdomain.conf %config(noreplace) /etc/apparmor/parser.conf /var/lib/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %{_prefix}/share/locale/*/*/apparmor-parser.mo %doc %{_mandir}/man*/* %files -n apparmor-docs %defattr(-,root,root) %doc *.[1-9].html %doc common/apparmor.css %doc techdoc.pdf techdoc/techdoc.html techdoc/techdoc.css techdoc.txt %pre %if %{distro} == "redhat" || %{distro} == "rhel4" if [ -f /etc/init.d/subdomain ] ; then chkconfig --del subdomain fi %endif %post %if %{distro} == "suse" # SUSE uses insserv # For package renaming from subdomain -> apparmor # we check the existence of the AppArmor 1.1 and # AppArmor 1.2 based init script to help determine # whether we are upgrading SUBDOMAIN_PARSER_INSTALLED="no" if test -e /etc/init.d/boot.subdomain -o -e /etc/init.d/subdomain; then SUBDOMAIN_PARSER_INSTALLED="yes" fi if test "$1" == 1 -a $SUBDOMAIN_PARSER_INSTALLED = "no"; then %{insserv_force_if_yast boot.apparmor} elif test -e /etc/rc.d/boot.d/S??boot.subdomain -o \ -e /etc/rc.d/boot.d/S??boot.apparmor -o \ -e /etc/rc.d/rc3.d/S??subdomain ; then %{insserv_force_if_yast boot.apparmor} else %{fillup_and_insserv -f boot.apparmor} fi %endif %if %{distro} == "redhat" || %{distro} == "rhel4" chkconfig --add apparmor %endif %if %{distro} == "slackware" if grep -qs "# BEGIN rc.subdomain INSERTION" /etc/rc.d/rc.M ; then true ; else %{apparmor_bin_prefix}/install/frob_slack_rc --init fi if grep -qs "# BEGIN rc.subdomain INSERTION" /etc/rc.d/rc.K ; then true ; else %{apparmor_bin_prefix}/install/frob_slack_rc --shutdown fi %endif %preun if [ "$1" = 0 ] ; then %if %{distro} == "suse" %{stop_on_removal aaeventd} %{stop_on_removal boot.apparmor} %endif %if %{distro} == "redhat" || %{distro} == "rhel4" chkconfig --del aaeventd chkconfig --del apparmor %endif fi %postun %if %{distro} == "suse" %{insserv_cleanup} %endif %changelog * Thu Jan 24 2008 - jjohansen@suse.de - Fix parser to be able to load policy for multiple versions of AppArmor. * Wed Oct 17 2007 - dominic_r@mercenarylinux.com - Maintenance branch for AppArmor 2.1 * Mon Oct 1 2007 - steve@nxnw.org - Basic change_profile testcases, basic network rules testcases, testcases - around carat symbols and commas in file rules, and basic permission - modes first testcases from jjohansen@suse.de. * Mon Oct 1 2007 - steve@nxnw.org - lock mode bit tests from jjohansen@suse.de - Also, make 'check' toplevel target be an alias for 'tests' * Mon Oct 1 2007 - steve@nxnw.org - Append testcases from jjohansen@suse.de. * Fri Aug 31 2007 - sbeattie@suse.de - run initscript once on boot (suse only, #286749) * Fri Aug 17 2007 - sbeattie@suse.de - disable aaeventd before uninstall [#301418] * Fri Jul 27 2007 - sbeattie@suse.de - Allow inverted character classes in unquoted pathnames - Fix return code propogation in initscripts - Add change_profile support - Add basic network mediation - Add mediation modes for append-only and locks - Allow reverse ordered file permission rules * Sat Apr 21 2007 - aj@suse.de - Use texlive for building. * Fri Apr 13 2007 - sbeattie@suse.de - Resurrect apparmor-docs as subpackage of apparmor-parser - Add text version of techdoc * Wed Apr 11 2007 - sbeattie@suse.de - Include techdoc in package * Wed Apr 4 2007 - sbeattie@suse.de - rcapparmor: fix dpkg ignore check - rcapparmor: support apparmor built into kernel - rcapparmor: kill old cruft * Tue Apr 3 2007 - sbeattie@suse.de - Add manpages to package * Thu Mar 29 2007 - coolo@suse.de - BuildRequire flex and bison * Tue Mar 27 2007 - sbeattie@suse.de - Removed a couple of bashisms from initscripts * Fri Mar 23 2007 - sbeattie@suse.de - Added dfa matching code - add build dep on c++ compiler * Thu Jan 18 2007 - sbeattie@suse.de - Remove long obsolete editing of fstab * Tue Dec 12 2006 - sbeattie@suse.de - Fix from PLD people to make initscript more likely to work in other shells * Mon Nov 20 2006 - sbeattie@suse.de - use fclose();opendir() instead of fdopendir() - more translation updates - add defines for audit caps to compensate for older kernel headers * Fri Nov 10 2006 - sbeattie@suse.de - fix rc.aaeventd to depend on apparmor, not boot.apparmor (#214293) * Wed Nov 8 2006 - sbeattie@suse.de - Use kernel's capability defines rather than libcap * Wed Nov 8 2006 - ddrewelow@suse.de - pull translation updates from lcn * Wed Nov 8 2006 - jjohansen@suse.de - Add audit_write and audit_control capabilities (#218961) * Mon Nov 6 2006 - sbeattie@suse.de - /lib/lsb/init-functions provides killproc(), use it instead. * Sat Oct 28 2006 - olh@suse.de - boot.apparmor should start after boot.localfs (#215156) * Thu Oct 12 2006 - sbeattie@suse.de - get rid of /subdomain (#160020) * Tue Oct 10 2006 - sbeattie@suse.de - add support for #include'ing directories - updated i18n messages/other fixes * Fri Jul 28 2006 - olh@suse.de - make boot.localfs optional in boot.apparmor (#181972) * Mon Jun 05 2006 - sbeattie@suse.de - Add support for 'm' flag (mmap w/PROT_EXEC permission) (#175388) - Add Px and Ux flags to indicate to ld.so that sensitive environemnt variables should be filtered on exec() (#172061) The m, Px, and Ux flags are added in such a way that apparmor modules without corresponding support will just ignore them. - Fix segv if profiles directory does not exist (#160330) - Fix aaeventd initscript description (#172961) - Add check to verify module supports pcre - Add regression tests and run on every build - Other minor fixups * Fri May 26 2006 - schwab@suse.de - Don't strip binaries. * Thu Apr 27 2006 Steve beattie - Fix segv if profile dirs don't exist (#160330) * Tue Apr 11 2006 Steve Beattie - Move svn tree to novell forge; fixup build for new layout * Sat Apr 1 2006 Dominic Reynolds 2.0-7.5 - Fix upgrade problems (#156990) * Wed Mar 15 2006 Steve Beattie 2.0-7.4 - Obsoleted libimnxcert (#157450) * Fri Feb 10 2006 Steve Beattie 2.0-7.3 - Filter multiple slashes and trailing slashes in pathnames - Use RPM_OPT_FLAGS - A few s/SubDomain/AppArmor/ fixups in error messages * Sun Feb 5 2006 Steve Beattie 2.0-7 - Fix one last issue in initscript handling of whitespace (#141288) - Add libcap-devel dependency for newer SUSE distros - Fix shutting down aa-eventd - Add option to enable/disable aa-eventd - Disable owlsm warning if module doesn't support it * Fri Jan 27 2006 Steve Beattie 2.0-6 - s/none/securityfs/ in the initscript - add support for if {} else if {} - rename initscript to rc.apparmor - support /etc/apparmor.d - add buildrequires on libcap-devel * Wed Jan 25 2006 Dominic Reynolds 2.0-5.1 - Updated rc.subdomain.functions to reference newly named event daemon aa-eventd * Sun Jan 22 2006 Steve Beattie 2.0-5 - convert to fillupand_insserv macro, reenable apparmor by default - add prereq on aaa_base - remove initscript dependency on boot.ldconfig - Don't edit fstab on newer suse releases - Add build dependency on libcap-devel * Tue Jan 10 2006 Steve Beattie 2.0-4 - Add support for giving a filename on the parser command line - Some refactoring of code in prep for variable support. - Add svn repo to tarball - Rename service provided by initscript to apparmor - Initial set variable support - Restructure global policy list - Fix leaks found by valgrind - Restructure hats within profiles, detect duplicate hats - Add basic conditional statement support - Fix debug mode to not attempt to load policy - Fix initscript to handle profiles with spaces in their name #141288 * Wed Dec 14 2005 Steve Beattie 2.0-3 - Remove old-style change_hat definition support * Thu Dec 8 2005 Steve Beattie 2.0-2 - Fix references to old package name in .po files * Wed Dec 7 2005 Steve Beattie 2.0-1 - Reset version for inclusion in SUSE autobuild. * Wed Dec 7 2005 Steve Beattie 1.99-42 - Fix initscript to work with securityfs * Wed Nov 30 2005 Steve Beattie 1.99-41 - Rename package to apparmor-parser * Wed Nov 30 2005 Steve Beattie 1.99-40_imnx - Strip AALite. * Wed Nov 30 2005 Steve Beattie 1.99-39_imnx - Convert license to GPL * Tue Nov 29 2005 Steve Beattie 1.99-38_imnx - Make initscript use subdomain_status if available - Fixed up one last #include return code case - Stricter lexing on flags and hatnames - Fix -I to be additive, rather than reset include paths - Switch to lookup table for keywords in lexer - Remove deprecated code and interfaces - Fixup alignment warnings on ia64 - bzero pcre structure before compiling regex fix - kill parser_sysctl.c, merged into parser_interface.c - Add some additional compiler warnings, if available - Clean up getopt_long handling - Add support for securityfs, --subdomainfs option * Thu Nov 3 2005 Steve Beattie 1.99-37_imnx - Fix up small signed/unsigned issue. * Mon Oct 31 2005 Steve Beattie 1.99-36_imnx - Fix for potential pcre problem: CAN-2005-2491 #106209 * Thu Oct 27 2005 Steve Beattie 1.99-35_imnx - Fixed include handling to return an error code #129291 * Wed Oct 26 2005 Steve Beattie 1.99-34_imnx - Merge fixes over from shass-1.2 branch: - make sd-event-dispatch.pl be under rcsubdomain control. - add reload, force-reload, and try-restart options to initscript - jj's fix for include handling * Wed Oct 19 2005 Steve Beattie 1.99-33_imnx - Fix up dumb termination error on getopt_long arg. * Tue Sep 6 2005 Seth Arnold 1.99-32_imnx - move the abstractions/ and program-chunks/ to the profiles package * Fri Sep 2 2005 Steve Beattie - don't link full version against libimnxcert * Thu Sep 1 2005 Steve Beattie 1.99-26_imnx - Accept dos style line-endings. * Mon Aug 29 2005 Steve Beattie 1.99-25_imnx - Move subdomain to boot.subdomain to ensure earlier startup * Mon Aug 29 2005 Steve Beattie 1.99-24_imnx - add 'status' to initscript usage statement * Fri Aug 26 2005 Steve Beattie 1.99-23_imnx - Added common dependency on the subdomain-profiles package. * Wed Aug 24 2005 Steve Beattie 1.99-22_imnx - more merge from 1.2: - cleanup last of intl code changes - actually install rootcert.pem - Makefile cleanup * Wed Aug 24 2005 Steve Beattie 1.99-21_imnx - Merge from 1.2: - Allow debugging of profiles as non-root. - Other locale cleanup. - use %{_prefix} - Use PERROR in more locations. - Use a common po/Make.rules - Add beginnings of i18n support to the parser. * Tue Aug 23 2005 Steve Beattie 1.99-20_imnx - Fixup the rest of the libexec locations - Merge fixup from dreynolds: - Changed the bin_exec path to /usr/lib/subdomain from /usr/libexec/subdomain * Tue Aug 23 2005 Steve Beattie 1.99-19_imnx - switch to alternatives based selection between full and demo version * Wed Aug 10 2005 Steve Beattie 1.99-18_imnx - strip installed binaries * Tue Aug 9 2005 Steve Beattie 1.99-17_imnx - Fixup some message handling in the initscripts - Make demo package depend on meta-package subdomain-cert - keep buildcache quiet when reading from a pipe * Mon Aug 8 2005 Tony Jones 1.99-16_imnx - Fix for bug#3105 aalite parser occasionally segfaults (free/zero cached cert) - Free certtree/cachelist (cache) when parser quits * Fri Jul 22 2005 Steve Beattie 1.99-16_imnx - Split out parser-demo and parser-common packages * Tue Jul 12 2005 Steve Beattie 1.99-15_imnx - First cut at /etc/init.d/subdomain status * Mon Jul 11 2005 Steve Beattie 1.99-14_imnx - Better error messages on stop when non-root. * Mon Jul 11 2005 Steve Beattie 1.99-13_imnx - More liberal parsing of /etc/fstab * Wed Jul 6 2005 Steve Beattie 1.99-12_imnx - Fixes from tonyj: - allow parser to bypass the cache - change buildcache to pass strict option to libimnxcert * Thu Jun 23 2005 Steve Beattie 1.99-11_imnx - Add trigger for upgrading from subdomain_parser to subdomain-parser * Wed Jun 22 2005 Steve Beattie 1.99-10_imnx - Add /etc/apparmor/certs/ * Thu Jun 16 2005 Steve Beattie 1.99-9_imnx - Merge in the certificate handling code. - Merge in buildcache. * Fri May 20 2005 Steve Beattie 1.99-8_imnx - /etc/immunix -> /etc/apparmor * Mon Mar 29 2005 Steve Beattie 1.99-7_imnx - Don't statically link the parser. * Fri Mar 11 2005 Steve Beattie 1.99-6_imnx - Rename package to make it more consistent with the other packages. * Tue Mar 8 2005 Steve Beattie 1.99-5_imnx - Mark subdomain.conf as a config file. Sigh. - Move subdomain.conf to /etc/immunix, and fix initscripts to deal. * Sun Feb 20 2005 Seth Arnold 1.99-4_imnx - internal cleanups * Fri Feb 11 2005 Steve Beattie 1.99-3_imnx - Duh, reconfigure owlsm on restart as well, plus include updates * Mon Feb 7 2005 Steve Beattie 1.99-2_imnx - Add ability to configure owlsm in /etc/subdomain.conf * Fri Feb 4 2005 Seth Arnold 1.99-1_imnx - Reversion to 1.99 * Tue Jan 11 2005 Seth Arnold 1.2-16_imnx - Add some 64-bit paths to profiles * Wed Nov 17 2004 Steve Beattie 1.2-15_imnx - Sigh, rpm 4.0.3 doesn't support nest if's > 2 deep. - Fixups so package builds on RHEL3 - eliminate dupe abstraction/chunks. * Mon Nov 15 2004 Seth Arnold 1.2-14_imnx - remove generic inherit executable support in apache's DEFAULT_URI * Fri Nov 12 2004 Steve Beattie 1.2-13_imnx - Fix to rc.subdomain.functions (bug #2776) * Fri Nov 12 2004 Seth Arnold 1.2-12_imnx - gratuitious version bump to add changelog entry to apologize for the missing changelog entry two days earlier -- postfix profile fixes * Thu Nov 10 2004 Steve Beattie 1.2-11_imnx - Use make install to install the abstractions and chunks. * Wed Nov 10 2004 Steve Beattie 1.2-10_imnx - Refactored the initscripts * Tue Nov 9 2004 Steve Beattie 1.2-9_imnx - More slack stuff. * Sun Nov 7 2004 Steve Beattie 1.2-8_imnx - Initial infrastructure support for slack. * Fri Nov 5 2004 Seth Arnold 1.2-7_imnx - procmail and postfix additions * Fri Oct 29 2004 Seth Arnold 1.2-6_imnx - postfix proxymap * Tue Oct 26 2004 Seth Arnold 1.2-5_imnx - typo fix in initscrpit * Tue Oct 26 2004 Seth Arnold 1.2-3_imnx - new netdomain rules for squid, open all outgoing for ftp, add another specific rule for another web port. * Tue Oct 19 2004 Seth Arnold 1.2-3_imnx - setgid,setuid ngroups_max for postfix-bounce, private/bounce for qmgr * Wed Oct 13 2004 Seth Arnold 1.2-2_imnx - remove program-chunks/apache-subprofiles * Tue Oct 12 2004 Steve Beattie 1.2-1_imnx - Bump rev after shass-1.1 branch * Tue Oct 5 2004 Seth Arnold 1.0-47_imnx - restructure directories * Tue Sep 28 2004 John Johansen 1.0-46_imnx - fix incompatability between new hats and old interface * Mon Sep 27 2004 John Johansen 1.0-45_imnx - add quoted rules * Wed Sep 22 2004 John Johansen 1.0-44_imnx - fix buffer resizing bug - reduce amount of redundancy in passed data - split pcre regex, tail globs, and basic file rules to enable future kernel optimization * Fri Sep 17 2004 John Johansen 1.0-43_imnx - add back in the ioctl interface for conditional compiles against the F5 branch * Wed Sep 15 2004 John Johansen 1.0-42_imnx - remove the 2.6 ioctl module interface * Wed Sep 1 2004 John Johansen 1.0-41_imnx - Add the ability to nest hats inside a profile * Mon Aug 30 2004 Steve Beattie 1.0-40_imnx - Clean up copyright statements. * Mon Aug 23 2004 Steve Beattie 1.0-33_imnx - Fixed License: tag, stopped including obsolete license. * Fri Jul 23 2004 Steve Beattie 1.0-26_imnx - Small fix to portable API interface. * Wed Jul 21 2004 Steve Beattie 1.0-25_imnx - resurrect Red Hat style initscript * Wed Jul 21 2004 Steve Beattie 1.0-23_imnx - use distro specific init scripts * Wed Jul 21 2004 Steve Beattie 1.0-22.16_imnx - first attempt to make rpm portable to both SuSE and Red Hat * Tue Jul 20 2004 Steve Beattie 1.0-22.15_imnx - Merge in JJ's 64-bit clean interface * Wed Jun 23 2004 Seth Arnold 1.0-22.13_imnx - apache manual * Tue Jun 22 2004 Seth Arnold 1.0-22.12_imnx - modified user-custom/squid * Sat Jun 12 2004 John Johansen 1.0-22.7_imnx - fix segfault in parser - change rc.subdomain restart to compare loaded profiles to profiles in /etc/subdomain.d and remove the profiles that are loaded that are not in /etc/subdomain.d * Fri Jun 11 2004 John Johansen 1.0-22.7_imnx - update parser to get subdomain filesystem mnt point from /etc/fstab - add build-panic option to init script * Fri Jun 11 2004 John Johansen 1.0-22.6_imnx - move subdomain fs from /dev/subdomain to /subdomain * Thu Jun 10 2004 David Drewelow 1.0-22.4_imnx - Changed dependency from subdomain-module to subdomain-master * Fri May 7 2004 John Johansen 1.0-22.3_imnx - -C flag to force individual profiles to have into complain mode - turn off warning about having a bare x - profile abstraction updates