From: Jeff Mahoney <jeffm@suse.com>

Subject: profiles: Add openssl abstraction References: bnc#623886 Profiles that use openssl have been adding the openssl files piecemeal. This patch creates a new openssl abstraction that can be inherited by all profiles that use it. Signed-off-by: Jeff Mahoney <jeffm@suse.com> Patch for - profiles/apparmor.d/abstractions/ssl_certs - profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork (second chunk) updated by Christian Boltz <apparmor@cboltz.de> (didn't apply to trunk) Acked-By: Steve Beattie <sbeattie@ubuntu.com> Copyright header in profiles/apparmor.d/abstractions/openssl added by Christian Boltz <apparmor@cboltz.de>
2025-08-30 22:05:27 +00:00 · 2011-08-08 22:22:03 +02:00
parent 663698c7a6
commit b5e525b251
8 changed files with 20 additions and 6 deletions
--- a/profiles/apparmor.d/abstractions/openssl
+++ b/profiles/apparmor.d/abstractions/openssl
@@ -0,0 +1,13 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  /etc/ssl/openssl.cnf r,
+  /usr/share/ssl/openssl.cnf r,
+
--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -14,5 +14,6 @@
  /etc/ssl/certs/* r,
  /usr/share/ca-certificates/ r,
  /usr/share/ca-certificates/** r,
+  /usr/share/ssl/certs/ca-bundle.crt          r,
  /usr/local/share/ca-certificates/ r,
  /usr/local/share/ca-certificates/** r,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
@@ -15,6 +15,7 @@
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <program-chunks/postfix-common>
+  #include <abstractions/openssl>

  capability dac_override,
  capability dac_read_search,
@@ -38,7 +39,6 @@
  /etc/postfix/{ssl/,}*.pem                   r,
  /etc/postfix/prng_exch                      rw,
  /usr/share/ssl/certs/ca-bundle.crt          r,
-  /usr/share/ssl/openssl.cnf                  r,
  /etc/postfix/virtual.db                     r,
  /etc/postfix/sasl_passwd.db                 r,
  /etc/mtab                                   r,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
@@ -15,6 +15,7 @@
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <program-chunks/postfix-common>
+  #include <abstractions/openssl>

  capability dac_override,
  capability dac_read_search,
@@ -43,7 +44,6 @@
  /usr/lib/sasl2/*                            mr,

  /usr/share/ssl/certs/ca-bundle.crt          r,
-  /usr/share/ssl/openssl.cnf                  r,

  /{var/spool/postfix/,}pid/inet.*               rw,
  /{var/spool/postfix/,}private/anvil            w,
--- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
@@ -17,6 +17,7 @@
  #include <abstractions/kerberosclient>
  #include <abstractions/nameservice>
  #include <abstractions/perl>
+  #include <abstractions/openssl>

  capability kill,
  capability net_bind_service,
@@ -83,7 +84,6 @@
  /usr/share/snmp/mibs r,
  /usr/share/snmp/mibs/*.{txt,mib} r,
  /usr/share/snmp/mibs/.index wr,
-  /usr/share/ssl/openssl.cnf r,
  /{run,var}/lock/httpd2.lock.* wl,
  /var/log/apache2/* rwl,
  /var/log/httpd/ssl_scache.dir r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.imapd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd
@@ -15,10 +15,10 @@
  #include <abstractions/nameservice>
  #include <abstractions/authentication>
  #include <abstractions/user-mail>
+  #include <abstractions/openssl>

  /dev/urandom                              r,
  /tmp/*                                    rwl,
  /usr/sbin/imapd                           r,
  /usr/share/ssl/certs/imapd.pem            r,
-  /usr/share/ssl/openssl.cnf                r,
 }
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
@@ -15,10 +15,10 @@
  #include <abstractions/nameservice>
  #include <abstractions/authentication>
  #include <abstractions/user-mail>
+  #include <abstractions/openssl>

  /dev/urandom                           r     ,
  /tmp/.*                                rwl   ,
  /usr/sbin/ipop2d                       rmix,
  /usr/share/ssl/certs/ipop2d.pem        r     ,
-  /usr/share/ssl/openssl.cnf             r     ,
 }
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
@@ -15,10 +15,10 @@
  #include <abstractions/nameservice>
  #include <abstractions/authentication>
  #include <abstractions/user-mail>
+  #include <abstractions/openssl>

  /dev/urandom                           r     ,
  /tmp/.*                                rwl   ,
  /usr/sbin/ipop3d                       rmix,
  /usr/share/ssl/certs/ipop3d.pem        r     ,
-  /usr/share/ssl/openssl.cnf             r     ,
 }