[Pkg-sssd-devel] sssd: Changes to 'debian-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Wed Apr 25 17:14:44 UTC 2012
debian/apparmor-profile | 42 ++++++++++++++++++++++++++++++++++++++
debian/changelog | 18 ++++++++++++++--
debian/control | 1
debian/libpam-sss.pam-auth-update | 2 -
debian/rules | 9 ++++++++
debian/sssd.preinst | 15 +++++++++++++
debian/sssd.upstart.in | 1
7 files changed, 85 insertions(+), 3 deletions(-)
New commits:
commit eeb4a76810f5039d6d88025eb107a7d518546ab9
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Apr 25 20:14:39 2012 +0300
rules: Mangle the date stamp on pam_sss.8
so that the compressed file is identical across all archs. (Closes: #670019)
diff --git a/debian/changelog b/debian/changelog
index e36af35..b95498c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,6 +33,8 @@ sssd (1.8.2-1) UNRELEASED; urgency=low
- debian/control: sssd Suggests apparmor (>= 2.3)
- debian/sssd.preinst: disable profile on clean install or upgrades
from earlier than when we shipped the profile
+ * rules: Mangle the date stamp on pam_sss.8 so that the compressed file is
+ identical across all archs. (Closes: #670019)
-- Timo Aaltonen <tjaalton at ubuntu.com> Wed, 04 Apr 2012 11:40:40 +0300
diff --git a/debian/rules b/debian/rules
index c33f990..6753c85 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,6 +5,10 @@
APIDOCDIR = /usr/share/sssd
DISTRIBUTION = $(shell lsb_release -i | sed 's/.*:\t//')
INIT = init
+PKGDATE = $(shell dpkg-parsechangelog | \
+ awk -F" " '/^Date/ { print $$4 "/" $$3 "/" $$5 }' | \
+ sed 's/Jan/01/;s/Feb/02/;s/Mar/03/;s/Apr/04/;s/May/05/;s/Jun/06/;s/Jul/07/;s/Aug/08/;s/Sep/09/;s/Oct/10/;s/Nov/11/;s/Dec/12/;s/\//\\\//g')
+CURDATE = $(shell date +%m/%e/%Y | sed 's/\//\\\//g')
ifeq ($(DISTRIBUTION), Ubuntu)
INIT = upstart
@@ -43,6 +47,8 @@ override_dh_install:
dh_install --fail-missing
+ sed -i 's/${CURDATE}/${PKGDATE}/g' $(CURDIR)/debian/tmp/usr/share/man/man8/pam_sss.8
+
override_dh_python2:
dh_python2 --no-guessing-versions
commit ffc48c725338c4f51c81ee011a0ffb2fa74bfe38
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Apr 25 10:30:24 2012 +0300
drop use_authtok from the password stack
diff --git a/debian/changelog b/debian/changelog
index 5837d45..e36af35 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,8 +17,12 @@ sssd (1.8.2-1) UNRELEASED; urgency=low
* control: sssd works with Heimdal gssapi modules too, add
libsasl2-modules-gssapi-mit as an option for the Recommends.
(LP: #966146)
- * libpam-sss.pam-auth-update: Drop the dependency to 128, since pam_sss
- should always be below pam_unix. (LP: #957486)
+ * libpam-sss.pam-auth-update:
+ - Drop the dependency to 128, since pam_sss should always be below
+ pam_unix. (LP: #957486)
+ - Drop 'use_authtok' from the password stack, since it only works when
+ pam_cracklib is installed. This will allow password changes on the
+ default install.
* sssd.postrm: Try to remove /etc/sssd only if it exists.
(Closes: #666226)
* Add disabled by default Apparmor profile (LP: #933342)
diff --git a/debian/libpam-sss.pam-auth-update b/debian/libpam-sss.pam-auth-update
index 21fcc3c..c6948b8 100644
--- a/debian/libpam-sss.pam-auth-update
+++ b/debian/libpam-sss.pam-auth-update
@@ -13,7 +13,7 @@ Account:
[default=bad success=ok user_unknown=ignore] pam_sss.so
Password-Type: Primary
Password:
- sufficient pam_sss.so use_authtok
+ sufficient pam_sss.so
Password-Initial:
sufficient pam_sss.so
Session-Type: Additional
commit 5bada08bdf37124747bdcf3e942ef51f30e6ccf9
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Apr 25 10:24:30 2012 +0300
add disabled by default Apparmor profile
diff --git a/debian/apparmor-profile b/debian/apparmor-profile
new file mode 100644
index 0000000..83ff96a
--- /dev/null
+++ b/debian/apparmor-profile
@@ -0,0 +1,42 @@
+#include <tunables/global>
+
+/usr/sbin/sssd {
+ #include <abstractions/base>
+ #include <abstractions/kerberosclient>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ capability dac_override,
+ capability dac_read_search,
+ capability setgid,
+ capability setuid,
+ capability sys_nice,
+
+ @{PROC} r,
+ @{PROC}/[0-9]*/status r,
+
+ /etc/krb5.keytab k,
+ /etc/ldap/ldap.conf r,
+ /etc/localtime r,
+ /etc/shells r,
+ /etc/sssd/sssd.conf r,
+
+ /usr/sbin/sssd rmix,
+ /usr/lib/@{multiarch}/ldb/modules/ldb/* m,
+ /usr/lib/sssd/sssd/* rix,
+
+ /tmp/{,.}krb5cc_* rwk,
+
+ /var/lib/sss/* rw,
+ /var/lib/sss/db/* rwk,
+ /var/lib/sss/pipes/* rw,
+ /var/lib/sss/pipes/private/* rw,
+ /var/lib/sss/pubconf/* rw,
+ /var/log/sssd/* rw,
+ /var/tmp/host_* rw,
+
+ /{,var/}run/sssd.pid rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.sssd>
+}
diff --git a/debian/changelog b/debian/changelog
index b89086b..5837d45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -21,6 +21,14 @@ sssd (1.8.2-1) UNRELEASED; urgency=low
should always be below pam_unix. (LP: #957486)
* sssd.postrm: Try to remove /etc/sssd only if it exists.
(Closes: #666226)
+ * Add disabled by default Apparmor profile (LP: #933342)
+ - debian/sssd.upstart.in: load the profile during pre-start
+ - add debian/apparmor-profile, install to /etc/apparmor.d
+ - debian/rules: use dh_apparmor to install profile before sssd is
+ restarted
+ - debian/control: sssd Suggests apparmor (>= 2.3)
+ - debian/sssd.preinst: disable profile on clean install or upgrades
+ from earlier than when we shipped the profile
-- Timo Aaltonen <tjaalton at ubuntu.com> Wed, 04 Apr 2012 11:40:40 +0300
diff --git a/debian/control b/debian/control
index abab392..f791c0a 100644
--- a/debian/control
+++ b/debian/control
@@ -51,6 +51,7 @@ Recommends: ldap-utils,
libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal,
libsasl2-modules-ldap,
Suggests:
+ apparmor,
sssd-tools,
Description: System Security Services Daemon
Provides a set of daemons to manage access to remote directories and
diff --git a/debian/rules b/debian/rules
index 33c1c1d..c33f990 100755
--- a/debian/rules
+++ b/debian/rules
@@ -30,6 +30,8 @@ override_dh_install:
mkdir -p $(CURDIR)/debian/libpam-sss/usr/share/pam-configs
install -m644 debian/libpam-sss.pam-auth-update \
$(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss
+ install -D $(CURDIR)/debian/apparmor-profile \
+ $(CURDIR)/debian/sssd/etc/apparmor.d/usr.sbin.sssd
cat $(CURDIR)/debian/sssd.$(INIT).in > $(CURDIR)/debian/sssd.$(INIT)
@@ -45,6 +47,7 @@ override_dh_python2:
dh_python2 --no-guessing-versions
override_dh_installinit:
+ dh_apparmor -psssd --profile-name=usr.sbin.sssd
dh_installinit --error-handler=invoke_failure
override_dh_auto_clean:
diff --git a/debian/sssd.preinst b/debian/sssd.preinst
index 3ea187f..b56b578 100755
--- a/debian/sssd.preinst
+++ b/debian/sssd.preinst
@@ -23,8 +23,20 @@ rm_conffile() {
fi
}
+disable_profile() {
+ APP_CONFFILE="/etc/apparmor.d/usr.sbin.sssd"
+ APP_DISABLE="/etc/apparmor.d/disable/usr.sbin.sssd"
+ # Create a symlink to the yet-to-be-unpacked profile
+ if [ ! -e "$APP_CONFFILE" ]; then
+ mkdir -p `dirname $APP_DISABLE` 2>/dev/null || true
+ ln -sf $APP_CONFFILE $APP_DISABLE
+ fi
+}
+
case "$1" in
install)
+ # Disable AppArmor profile on install
+ disable_profile
;;
upgrade)
if dpkg --compare-versions "$2" le "1.0.5-1"; then
@@ -36,6 +48,9 @@ upgrade)
rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-krb5.conf"
rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-ldap.conf"
fi
+ if dpkg --compare-versions "$2" lt "1.8.2-1"; then
+ disable_profile
+ fi
;;
esac
diff --git a/debian/sssd.upstart.in b/debian/sssd.upstart.in
index fdbf4cc..ef5bc9e 100644
--- a/debian/sssd.upstart.in
+++ b/debian/sssd.upstart.in
@@ -17,6 +17,7 @@ env DEFAULTFILE=/etc/default/sssd
pre-start script
test -f /etc/sssd/sssd.conf || { stop; exit 0; }
+ /lib/init/apparmor-profile-load usr.sbin.sssd
end script
script
More information about the Pkg-sssd-devel
mailing list