------------------------------------------------------------------- Wed Aug 29 02:09:06 CEST 2007 - srarnold@suse.de [ changes from mathiaz, sbeattie, seth.arnold, dreynolds] - ping network inet raw - nscd network stream - Ubuntu Launchpad bug #132468, nameservice abstraction resolv.conf - Bug 241479 - Fix for usr.sbin.nscd profile - Bug 287579 - doesn't allow access to /usr/share/X11 and other xorg directories - Bug 288960 - nscd with nss_ldap and sasl/gss bind to ldap server failed - Bug 295086 - abstractions/X lists /usr/X11R6 - abstractions fixes from Mathias Gug (Ubuntu) ------------------------------------------------------------------- Mon Aug 20 03:55:00 CEST 2007 - dreynolds@suse.de [ changes from mathiaz, sbeattie, seth.arnold, dreynolds ] - Unbuntu Launchpad bug #132468: Nameservice abstraction should also include /var/run/resolvconf/resolv.conf: - Fix to ntpd profile from Mathias Gug of Ubuntu. - Bug 288470 - ntp profile rejects access to /var/lib/ntp/etc/localtime - Updates for cupsd. Add inet|inet6 dgram|stream to nameservice abstraction ------------------------------------------------------------------- Fri Aug 17 20:56:46 CEST 2007 - srarnold@suse.de - Bug 288470 - ntp profile rejects access to /var/lib/ntp/etc/localtime - Fix to ntpd profile from Mathias Gug of Ubuntu. (sbeattie) - Launchpad bug #132468: Nameservice abstraction should also include /var/run/resolvconf/resolv.conf ------------------------------------------------------------------- Tue Aug 7 15:31:28 CEST 2007 - dreynolds@suse.de - Update klogd profile for locking permission 'k' to pid file ------------------------------------------------------------------- Mon Aug 6 18:37:52 CEST 2007 - dreynolds@suse.de - Updated profiles for network toggle mediation - Added profile for avahi-daemon - Added profile for cupsd to extras ------------------------------------------------------------------- Tue Jun 12 00:56:41 CEST 2007 - srarnold@suse.de - Postfix directories to new syntax ------------------------------------------------------------------- Mon Jun 11 21:01:34 CEST 2007 - srarnold@suse.de - Remove /usr/X11R6 references ------------------------------------------------------------------- Mon Jun 11 20:29:01 CEST 2007 - srarnold@suse.de - dhcpcd fixes - resmgr fix ------------------------------------------------------------------- Mon Jun 11 19:37:11 CEST 2007 - srarnold@suse.de - Remove /opt/gnome references - Remove /usr/X11R6 references - Update to newer evolution version numbers - Rename ethereal -> wireshark - Create 64 bit version of gconfd-2 ------------------------------------------------------------------- Tue Jun 5 23:44:04 CEST 2007 - srarnold@suse.de - Updates to ntpd from Mathias Gug ------------------------------------------------------------------- Sat Jun 2 02:12:18 CEST 2007 - srarnold@suse.de - Updates to ntpd and klogd from Mathias Gug - Updates to httpd2-prefork from Steve Beattie ------------------------------------------------------------------- Wed May 30 19:30:38 CEST 2007 - srarnold@suse.de - Really check in Marius's update to syslog-ng. ------------------------------------------------------------------- Tue May 29 20:39:28 CEST 2007 - srarnold@suse.de - small update from Marius Tomaschewski for syslog-ng ------------------------------------------------------------------- Fri May 25 23:46:11 CEST 2007 - srarnold@suse.de - replace /proc/ with @{PROC} from sbeattie ------------------------------------------------------------------- Wed May 23 00:23:44 CEST 2007 - srarnold@suse.de - Bug 265775 - changes for kerberosclient profile [updated the abstraction] ------------------------------------------------------------------- Thu May 17 01:48:54 CEST 2007 - srarnold@suse.de - Bug 267933 - audit message about /var/lib/ntp/drift/ntp.drift.TEMP ------------------------------------------------------------------- Wed May 16 22:51:43 CEST 2007 - srarnold@suse.de - remove named (bind) and openldap (slapd) profiles, as they have been moved into their respective packages ------------------------------------------------------------------- Sat Apr 21 00:42:04 CEST 2007 - srarnold@suse.de - reorganize the tarball to match on-disk layout ------------------------------------------------------------------- Fri Apr 13 18:36:10 CEST 2007 - sbeattie@suse.de - Update/re-enable some profiles for dir handling changes ------------------------------------------------------------------- Sat Mar 31 01:37:36 CEST 2007 - agruen@suse.de - Update to version 2.0.2: DFA based kernel module. ------------------------------------------------------------------- Tue Feb 6 00:20:44 CET 2007 - srarnold@suse.de - Bug 157400 - default AppArmor profile for gaim too restrictive - Bug 221998 - No NFS locks available: "kernel: lockd/statd: failed to create /var/lib/nfs/sm/: err=-2" - Bug 225615 - apparmor rejects glibc AT_PLATFORM directories - Bug 143281 - Insuffisient settings in default profiles, at least for man & gaim: - Bug 181253 - apparmor rejects access for sendmail to /var/lib/sendmail/statistics - Bug 202095 - useradd / userdel profiles incomplete - Bug 190079 - sendmail can't open control socket - Bug 240734 - Applications using nss_ldap need to have access to ldap.secret ------------------------------------------------------------------- Wed Jan 24 00:37:02 CET 2007 - srarnold@suse.de - More fixes from Volker Kuhlmann - /tmp symlink to /var/tmp for ntpd - new (extras) profile for passwd - xntpd W32Time authentication support - named gss-tsig authentication support ------------------------------------------------------------------- Wed Jan 3 22:26:40 CET 2007 - srarnold@suse.de - extras/ fixes from Volker Kuhlmann - sshd loginuid - apache certs/keys - postfix with permissions=paranoid ------------------------------------------------------------------- Mon Dec 11 22:42:16 CET 2006 - srarnold@suse.de - Newer postfix uses a session cache for TLS ------------------------------------------------------------------- Mon Nov 27 23:23:33 CET 2006 - srarnold@suse.de - Bug 220331 - syslog-ng cannot log news messages - capability fowner, to change uid/gid of logfiles - make /dev/log dependency explicit ------------------------------------------------------------------- Tue Nov 21 19:16:49 CET 2006 - srarnold@suse.de - Bug 220331 - syslog-ng cannot log news messages - /var/log/** to mirror the old syslog profile ------------------------------------------------------------------- Fri Nov 17 01:43:08 CET 2006 - srarnold@suse.de - Bug 221567 - apparmor causes kernel lockup if there is any audit backlog - remove netstat profile as it will trigger this bug easily - Bug 221111 - ntpd needs access to /proc/net/if_inet6 ------------------------------------------------------------------- Mon Nov 13 22:59:46 CET 2006 - srarnold@suse.de - Bug 219583 - rejecting w access for syslog-ng add /var/lib/*/dev/log access for chroot'd applications - Bug 202095 - useradd / userdel profiles incomplete (extra profiles, but can't hurt to update -- thanks Christian Boltz) - Bug 197186 - apparmor breaks openntpd ------------------------------------------------------------------- Thu Nov 9 20:35:04 CET 2006 - srarnold@suse.de - Bug 219580 - some programs require 'm' access to /etc/ld.so.cache ------------------------------------------------------------------- Sat Nov 4 02:30:52 CET 2006 - srarnold@suse.de - Bug 215207 - apparmor-profiles: lib-ld missing in the profile - with 'm' "can be mapped executable" mode flag, no need for the ld profiles. - so all ld.so profiles removed, change all 'Px' rules on loaders to 'ix' rules, and remove the ldd profile. - Needless whitespace in profiles - Bug 178073 - AppArmor - postfix - smtp - directive smtp_generic_maps - Bug 203557 - apparmor python abstraction should accept .egg files in site-packages - new syslog-ng profile contributed by Christian Boltz - new clamav profile contributed by Christian Boltz - postfix/virtual improvements contributed by Christian Boltz ------------------------------------------------------------------- Tue Jun 6 02:52:07 CEST 2006 - srarnold@suse.de - Bug 175626 - /var/lib/ntp/etc/ntp.conf.iburst missing from ntpd profile - new 'make check' and 'make check-install' targets (sbeattie) - new 'm', 'Px', 'Ux' flags to address: - Bug 175388 - Profile access allows essentially execute permission when only read access is granted via usage of mmap system call. - Bug 172061 - LD_PRELOAD can be exploited to change the execution path across exec transitions ------------------------------------------------------------------- Mon May 8 18:59:33 CEST 2006 - srarnold@suse.de - Bug 168035 - apparmor-profiles: lib.ld-2.2.so takes no care of x86_64 /lib/ld-2.4 -- s390x, ppc, ppc64, too - Bug 172670 - postfix doesn't deliver mails anymore after update from SLES9 ------------------------------------------------------------------- Wed May 3 23:54:35 CEST 2006 - srarnold@suse.de - Bug 167798 - misc profile modifications from darix - mlmmj, lighttpd, oidentd profiles in extras/ - new postfix helpers (postfix profiles now in extras/) - broken postfix smtpd alternation expansion - factor abstractions/nameservice - new python, ruby, php5 abstractions - new web-data and svn-repositories data-centric abstractions - svn:keywords to do proper attribution - Bug 170154 - squid dies when setting auth_param basic program /usr/sbin/pam_auth - also move squid to /etc/apparmor/profilex/extras - Add some text to the extras/README describing how to turn postfix profiles on again, as an example ------------------------------------------------------------------- Tue May 2 03:34:44 CEST 2006 - srarnold@suse.de - Bug 165191 - named can't write slave zones - Bug 168581 - readaccess to /proc/meminfo not granted to nscd -- add sysconf(3) files to abstractions/base - Bug 167798 - misc profile modifications from darix -- mlmmj, lighttpd, oidentd profiles in extras/, new postfix helpers in complain mode (enabled), split apart nameservice a little (non destructively), add new abstractions for python, ruby, and php5, add web-data and svn-repositories data-centric abstractions ------------------------------------------------------------------- Sat Apr 29 03:22:18 CEST 2006 - srarnold@suse.de - Add a complain mode profile for postfix/pipe ------------------------------------------------------------------- Sat Apr 29 01:45:07 CEST 2006 - srarnold@suse.de - README describing what is in /etc/apparmor/profiles/extras - glibc 2.4 loaders - Bug 165116 - Problem to resolve hostnames from LDAP-Database - Bug 168581 - readaccess to /proc/meminfo not granted to nscd - Bug 159667 - Postfix SASL authentication fails with "no mechanism available" - mdnsd writes to console ------------------------------------------------------------------- Fri Apr 7 08:49:47 CEST 2006 - dreynolds@suse.de - seth.arnold: - Fix for base (ntpd) - #164150 - Fix for postfix.qmgr - #156446 ------------------------------------------------------------------- Wed Apr 5 15:48:30 CEST 2006 - varkoly@suse.de - Fix for posfix/smtpd postfix/smtp - New file usr.lib.postfix.anvil ------------------------------------------------------------------- Tue Apr 4 22:11:10 CEST 2006 - srarnold@suse.de - Fix for postfix/sasl (#159667) - Fix for NIS/portmapper nameservice capabilities ------------------------------------------------------------------- Mon Apr 3 05:58:02 CEST 2006 - dreynolds@suse.de - Fix for postalias (#158689) - a profile update for svnserve ------------------------------------------------------------------- Mon Mar 27 15:23:11 CEST 2006 - jmichael@suse.de - Allow named to write to /var/lib/named/dyn while chrooted in order to support dynamically updated zones - #157478 ------------------------------------------------------------------- Mon Mar 13 20:52:02 CET 2006 - srarnold@suse.de - /usr/sbin/postfix /usr/sbin/sendmail ux, #156998 - /usr/lib/postfix/cleanup /etc/postfix/* r, #152706 ------------------------------------------------------------------- Mon Mar 13 09:30:09 CET 2006 - dreynolds@suse.de - Fix for sendmail to add a px transtion to usr.lib.postfix.smtpd (#156998) ------------------------------------------------------------------- Thu Mar 9 20:36:54 CET 2006 - srarnold@suse.de - new svnserve profile in extras (not enforcing), postfix ldap fixes #156091 - procmail now runs unconfined from postfix, sendmail ------------------------------------------------------------------- Fri Mar 3 01:12:15 CET 2006 - srarnold@suse.de - icon caches, fontconfig - firefox fixes #154646 - Re-enable named, clarify tunables/home ------------------------------------------------------------------- Mon Feb 13 05:40:16 CET 2006 - dreynolds@suse.de - (seth.arnold@suse.de & sbeattie@suse.de) - Re-enable sendmail, split apart traceroute - Fix tunables/home to not emit multiple slashes - Fix klogd per #143336 ------------------------------------------------------------------- Mon Feb 6 08:13:27 CET 2006 - sbeattie@suse.de - (seth.arnold) /etc/apparmor.d/tunables/home - (seth.arnold) slight re-org, some more use of variables ------------------------------------------------------------------- Sun Jan 29 06:18:48 CET 2006 - sbeattie@suse.de - Add svn repo number to tarball name - Rename /etc/subdomain.d/ to /etc/apparmor.d/ - Add /lib/power5+/ to base for ppc (#146135) ------------------------------------------------------------------- Wed Jan 25 21:45:45 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Mon Jan 23 08:25:35 CET 2006 - dreynolds@suse.de - Removal of profiles referencing /home/. ------------------------------------------------------------------- Fri Dec 9 08:02:55 CET 2005 - sbeattie@suse.de - dreynolds: remove unused netdomain rules - srarnold: allow read access to policy subdirs ------------------------------------------------------------------- Thu Dec 8 08:38:43 CET 2005 - sbeattie@suse.de - rename subdomain-profiles to apparmor-profiles - Relicense package to GPL - reset version to 2.0-1 - profile updates