This update fixes the following issues with apparmor:
- NOTE: Please consider a reboot after installing the update to resolve bnc#853019
- bnc#853019: %restart_on_update (in parser %postun) is "translated" to stop/start by the systemd wrapper, which removes AppArmor protection from running processes. Fixed by using a custom script instead
+ NOTE: The %postun from the previously installed apparmor-parser package will remove AppArmor protection from running processes a last time. Run aa-status to get a list of processes you need to restart, or reboot your computer.
- reload profiles in %post of the apparmor-profiles package
- bnc#851984:
+ update dovecot profiles to support dovecot 2.x, and add profiles for the parts of dovecot that were not covered yet.
+ do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary
+ add abstractions/mysql
+ allow execution of some more /usr/lib/dovecot/* binaries
+ better restrict access to /var/spool/postfix/private/
+ NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs.
- allow to read mysql config files
- add abstractions/nameservice instead of allowing more and more files
- bnc#856651: allow samba to mkdir /var/run/samba and /var/cache/samba
- add abstractions/samba to usr.sbin.winbindd profile
- bnc#851131: add capabilities ipc_lock and setuid to usr.sbin.winbindd profile
- add Recommends: net-tools to apparmor-utils (needed by aa-unconfined)
- allow dnsmasq read config created by recent NetworkManager
- bnc#852018: allow access to certificates in /var/lib/ca-certificates/
- bnc#850374: updated driftfile location for ntpd
- allow acces to pid file and supplemental config directory