[Pkg-openldap-devel] Bug#488409: patch for compatibility with apparmor

Steve Langasek vorlon at debian.org
Sat Jun 28 17:36:16 UTC 2008 

Package: openldap2.3
Version: 2.4.9-1
Severity: wishlist
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu ubuntu-patch intrepid

The attached patch has been applied to the Ubuntu openldap2.3 source
package, for compatibility with apparmor.  Without this patch, applying an
apparmor policy to slapd causes all of slap* to break, because these are
installed as symlinks and as a result the same apparmor policy is applied to
them when it shouldn't be - preventing, e.g., using slapadd/slapcat to
read/write to an ldif in a user's home directory.

The following explanation is provided in the changelog:

  - debian/rules, debian/slapd.links: use hard links to slapd instead of
    symlinks for slap* so these applications aren't confined by apparmor
    (LP: #203898)

Should we incorporate this patch into the Debian package?  FWIW, the Ubuntu
openldap2.3 package has been patched somewhat extensively for apparmor
support, but given that Debian doesn't support apparmor I don't see the
point in bloating the package with a bunch of apparmor code; whereas I can't
see anything that would be a problem with switching the symlinks to hard
links, since we're maintaining a static list of them either way.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
diff -u openldap2.3-2.4.9/debian/slapd.links openldap2.3-2.4.9/debian/slapd.links
--- openldap2.3-2.4.9/debian/slapd.links
+++ openldap2.3-2.4.9/debian/slapd.links
@@ -3,8 +2,0 @@
-usr/sbin/slapd usr/sbin/slapacl
-usr/sbin/slapd usr/sbin/slapadd
-usr/sbin/slapd usr/sbin/slapauth
-usr/sbin/slapd usr/sbin/slapcat
-usr/sbin/slapd usr/sbin/slapdn
-usr/sbin/slapd usr/sbin/slapindex
-usr/sbin/slapd usr/sbin/slappasswd
-usr/sbin/slapd usr/sbin/slaptest
diff -u openldap2.3-2.4.9/debian/rules openldap2.3-2.4.9/debian/rules
--- openldap2.3-2.4.9/debian/rules
+++ openldap2.3-2.4.9/debian/rules
@@ -33,6 +33,7 @@
 installdir	:= $(CURDIR)/debian/install
 tmpdir		:= $(CURDIR)/debian/tmp
 builddir	:= $(CURDIR)/debian/build
+slapddir	:= $(CURDIR)/debian/slapd/usr/sbin
 
 MAKEVARS	:= DESTDIR=$(installdir) STRIP=
 
@@ -149,6 +153,12 @@
 	dh_strip -pslapd --dbg-package=slapd-dbg
 	dh_strip -pldap-utils
 	dh_link -a
+
+	# hardlink these so not confined by apparmor
+	for f in slapacl slapadd slapauth slapcat slapdn slapindex slappasswd slaptest ; do \
+	    ln -f $(slapddir)/slapd $(slapddir)/$$f ; \
+	done ;
+
 	dh_compress -a
 	dh_fixperms -a
 	# ideally we would do this and not have any libldap-2.4.so.2 links

More information about the Pkg-openldap-devel mailing list