File apparmor-profiles-nordisch.spec of Package apparmor-profiles-nordisch
#
# spec file for package apparmor-profiles-nordisch
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%if %{pkg_vcmp apparmor-profiles >= 4}
%bcond_without apparmor4
%else
%bcond_with apparmor4
%endif
%if 0%{?suse_version} > 1320
%bcond_without apparmor_reload
%else
%bcond_with apparmor_reload
%endif
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
%bcond_with needs_php_fpm_apparmor
%else
%bcond_without needs_php_fpm_apparmor
%endif
Name: apparmor-profiles-nordisch
Version: 1.3.0+git33.e7b8bb1
Release: 0
Summary: Apparmor profile from my systems
License: AGPL-3.0
Group: Productivity/Security
Url: https://nordisch.org/
BuildRequires: rsync
BuildRequires: ruby
BuildRequires: systemd-rpm-macros
%if %{with apparmor_reload}
BuildRequires: apparmor-rpm-macros
%endif
BuildRequires: apparmor-profiles
# bumped for AA4 support
BuildRequires: packaging-apparmor >= 0.0.3
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
BuildArch: noarch
%description
Apparmor profiles for various apps and packages
%package abstractions
Group: Productivity/Security
%requires_eq apparmor-abstractions
#
Summary: Abstractions shared among my profiles
%description abstractions
Abstractions shared among my profiles
%package -n php-fpm-apparmor
Group: Productivity/Security
#
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
Summary: Apparmor profile for php-fpm
%description -n php-fpm-apparmor
Apparmor profiles for php-fpm. Just drop your subprofile into
/etc/apparmor.d/php-fpm.d/
%package -n nginx-apparmor
Group: Productivity/Security
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
#
Summary: Apparmor profile for nginx
%description -n nginx-apparmor
Apparmor profile for nginx
%package -n redis-apparmor
Group: Productivity/Security
#
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
Summary: Apparmor profile for redis
%description -n redis-apparmor
Apparmor profiles for redis. Just drop your subprofile into
/etc/apparmor.d/redis.d/
Based on the templates found in the same directory.
%package -n discourse-apparmor
Group: Productivity/Security
#
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
Summary: Apparmor profile for discourse
%description -n discourse-apparmor
Apparmor profile for discourse activated with global override files
%package -n gitlab-apparmor
Group: Productivity/Security
#
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
Summary: Apparmor profile for gitlab
%description -n gitlab-apparmor
Apparmor profile for gitlab activated with global override files
%package -n nextcloud-apparmor
Group: Productivity/Security
#
Requires: php-fpm-apparmor >= %{version}-%{release}
Summary: Apparmor profile for nextcloud
%description -n nextcloud-apparmor
Apparmor profile for nextcloud
%package -n roundcubemail-apparmor
Group: Productivity/Security
#
Requires: php-fpm-apparmor >= %{version}-%{release}
Summary: Apparmor profile for roundcubemail
%description -n roundcubemail-apparmor
Apparmor profile for roundcubemail
%package -n tt-rss-apparmor
Group: Productivity/Security
#
Requires: php-fpm-apparmor >= %{version}-%{release}
Summary: Apparmor profile for tt-rss
%description -n tt-rss-apparmor
Apparmor profile for tt-rss
%package -n forked-daapd-apparmor
Group: Productivity/Security
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
#
Summary: Apparmor profile for forked-daapd
%description -n forked-daapd-apparmor
Apparmor profile for forked-daapd
%package -n minio-apparmor
Group: Productivity/Security
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
#
Summary: Apparmor profile for minio
%description -n minio-apparmor
Apparmor profile for minio
%package -n matrix-apparmor
Group: Productivity/Security
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
#
Summary: Apparmor profile for matrix
%description -n matrix-apparmor
Apparmor profile for matrix
%package -n tmate-ssh-server-apparmor
Group: Productivity/Security
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
#
Summary: Apparmor profile for tmate-ssh-server
%description -n tmate-ssh-server-apparmor
Apparmor profile for tmate-ssh-server
%package -n openssh-apparmor
Group: Productivity/Security
Requires: apparmor-profiles-nordisch-abstractions >= %{version}-%{release}
#
Summary: Apparmor profile for openssh
%description -n openssh-apparmor
Apparmor profile for openssh.
%prep
mv %{_sourcedir}/%{name}-%{version} %{_builddir}/%{name}-%{version}
%setup -q -D -T 0
%build
find -name zed\* -print -delete
pushd apparmor.d/
for i in $(find -type f ) ; do
if [ -e "/etc/apparmor.d/${i}" ] ; then
echo "duplicated file ${i}"
exit 1
fi
done
%apparmor_postprocess *
rm wine* abstractions/wine*
for file in php-fpm.d/* ; do
mkdir -p {local/,}${file}.d
done
%if %{without needs_php_fpm_apparmor}
rm php-fpm-nordisch
%endif
%if %{with apparmor4}
# get rid of the profiles that block our profiles
mkdir -p disable/
for profile in *-nordisch vivaldi-bin code chrome chromium ; do
short_name=${profile%%-nordisch}
if [ -e /etc/apparmor.d/${short_name} ] ; then
ln -sf /etc/apparmor.d/${short_name} disable/${short_name}
fi
done
%endif
# mkdir local
# touch $(ruby %{S:2} *)
# if ! pkg-config --atleast-version 3.0.0 libapparmor ; then
# ruby %{S:3} $(grep -l 'abi/3.0' -r .)
# fi
# popd
%install
install -D -d -m 0755 %{buildroot}/etc/apparmor.d/
rsync -av apparmor.d/ %{buildroot}/etc/apparmor.d/
install -D -d -m 0755 %{buildroot}%{_unitdir}/
rsync -av systemd/ %{buildroot}%{_unitdir}/
%if %{with apparmor_reload}
%post -n php-fpm-apparmor
%apparmor_reload /etc/apparmor.d/php-fpm
%endif
%files -n php-fpm-apparmor
%license LICENSE
%if %{with needs_php_fpm_apparmor}
%config /etc/apparmor.d/php-fpm-nordisch
%else
%exclude /etc/apparmor.d/php-fpm-nordisch
%endif
%config /etc/apparmor.d/abstractions/php-fpm
%dir /etc/apparmor.d/php-fpm.d/
%dir /etc/apparmor.d/local/php-fpm.d/
%dir /etc/apparmor.d/php-fpm.d/default.d/
%dir /etc/apparmor.d/local/php-fpm.d/default.d/
%config(noreplace) /etc/apparmor.d/php-fpm.d/default
%ghost %config(noreplace) /etc/apparmor.d/local/usr.sbin.php-fpm
%ghost %config(noreplace) /etc/apparmor.d/local/php-fpm
%if %{with apparmor_reload}
%post -n redis-apparmor
%apparmor_reload /etc/apparmor.d/redis
%endif
%files -n redis-apparmor
%license LICENSE
%config /etc/apparmor.d/redis
%config /etc/apparmor.d/abstractions/redis
%dir /etc/apparmor.d/redis.d/
%config(noreplace) /etc/apparmor.d/redis.d/*
%{_unitdir}/redis@.service.d/
%{_unitdir}/redis-sentinel@.service.d/
%if %{with apparmor_reload}
%post -n gitlab-apparmor
%apparmor_reload /etc/apparmor.d/gitlab
%endif
%files -n gitlab-apparmor
%license LICENSE
%{_unitdir}/gitlab*.d/
%config /etc/apparmor.d/abstractions/git*
%config /etc/apparmor.d/tunables/gitlab
%config /etc/apparmor.d/gitlab
%if %{with apparmor_reload}
%post -n discourse-apparmor
%apparmor_reload /etc/apparmor.d/discourse
%endif
%files -n discourse-apparmor
%license LICENSE
%{_unitdir}/discourse*.d/
%config /etc/apparmor.d/abstractions/discourse*
%config /etc/apparmor.d/discourse
%if %{with apparmor_reload}
%post -n nextcloud-apparmor
%apparmor_reload /etc/apparmor.d/nextcloud-cron /etc/apparmor.d/php-fpm /etc/apparmor.d/nextcloud-notify-push
%endif
%files -n nextcloud-apparmor
%license LICENSE
%exclude /etc/apparmor.d/nextcloud-cron
%config /etc/apparmor.d/nextcloud-notify-push
%config /etc/apparmor.d/abstractions/nextcloud
%config(noreplace) /etc/apparmor.d/php-fpm.d/nextcloud
%dir /etc/apparmor.d/php-fpm.d/nextcloud.d/
%dir /etc/apparmor.d/local/php-fpm.d/nextcloud.d/
%if %{with apparmor_reload}
%post -n tt-rss-apparmor
%apparmor_reload /etc/apparmor.d/usr.sbin.php-fpm /etc/apparmor.d/tt-rss-update-daemon
%endif
%files -n tt-rss-apparmor
%license LICENSE
%config(noreplace) /etc/apparmor.d/tt-rss-update-daemon
%config(noreplace) /etc/apparmor.d/php-fpm.d/tt-rss
%dir /etc/apparmor.d/php-fpm.d/tt-rss.d/
%dir /etc/apparmor.d/local/php-fpm.d/tt-rss.d/
%if %{with apparmor_reload}
%post -n roundcubemail-apparmor
%apparmor_reload /etc/apparmor.d/usr.sbin.php-fpm
%endif
%files -n roundcubemail-apparmor
%license LICENSE
%config(noreplace) /etc/apparmor.d/php-fpm.d/roundcubemail
%dir /etc/apparmor.d/php-fpm.d/roundcubemail.d/
%dir /etc/apparmor.d/local/php-fpm.d/roundcubemail.d/
%if %{with apparmor_reload}
%post -n forked-daapd-apparmor
%apparmor_reload /etc/apparmor.d/forked-daapd
%endif
%files -n forked-daapd-apparmor
%license LICENSE
%ghost %config(noreplace) /etc/apparmor.d/local/forked-daapd
%config(noreplace) /etc/apparmor.d/forked-daapd
%if %{with apparmor_reload}
%post -n minio-apparmor
%apparmor_reload /etc/apparmor.d/minio
%endif
%files -n minio-apparmor
%license LICENSE
%ghost %config(noreplace) /etc/apparmor.d/local/minio-client
%ghost %config(noreplace) /etc/apparmor.d/local/minio-mc
%ghost %config(noreplace) /etc/apparmor.d/local/minio
%config(noreplace) /etc/apparmor.d/minio
%if %{with apparmor_reload}
%post -n matrix-apparmor
%apparmor_reload /etc/apparmor.d/matrix
%endif
%files -n matrix-apparmor
%license LICENSE
%config(noreplace) /etc/apparmor.d/matrix
%ghost %config(noreplace) /etc/apparmor.d/local/matrix
%{_unitdir}/matrix-synapse.service.d/
%if %{with apparmor_reload}
%post -n tmate-ssh-server-apparmor
%apparmor_reload /etc/apparmor.d/tmate-ssh-server
%endif
%files -n tmate-ssh-server-apparmor
%license LICENSE
%ghost %config(noreplace) /etc/apparmor.d/local/tmate-ssh-server
%config /etc/apparmor.d/tmate-ssh-server
%files abstractions
%license LICENSE
%config /etc/apparmor.d/abstractions/imagemagick
%config /etc/apparmor.d/abstractions/erlang
%config /etc/apparmor.d/abstractions/php7
%config /etc/apparmor.d/abstractions/php-fixes
%config /etc/apparmor.d/abstractions/rails-app
%config /etc/apparmor.d/abstractions/ruby-modern
%config /etc/apparmor.d/abstractions/crypto.d/
%config /etc/apparmor.d/abstractions/audio.d/
%config /etc/apparmor.d/abstractions/mesa.d/
%config /etc/apparmor.d/abstractions/all-shells-unconfined
%if %{with apparmor_reload}
%post -n nginx-apparmor
%apparmor_reload /etc/apparmor.d/nginx
%endif
%files -n nginx-apparmor
%license LICENSE
%ghost %config(noreplace) /etc/apparmor.d/local/usr.sbin.nginx
%ghost %config(noreplace) /etc/apparmor.d/local/nginx
%config /etc/apparmor.d/nginx
%if %{with apparmor_reload}
%post
%apparmor_reload /etc/apparmor.d/{irssi,ejabberdctl,epmd}
%endif
%files
%license LICENSE
%ghost %config(noreplace) /etc/apparmor.d/local/usr.bin.irssi
%ghost %config(noreplace) /etc/apparmor.d/local/irssi
%ghost %config(noreplace) /etc/apparmor.d/local/usr.sbin.pgbouncer
%ghost %config(noreplace) /etc/apparmor.d/local/pgbouncer
%ghost %config(noreplace) /etc/apparmor.d/local/ejabberd-beam-smp
%ghost %config(noreplace) /etc/apparmor.d/local/ejabberd-inotify-wait
%config /etc/apparmor.d/epmd
%config /etc/apparmor.d/irssi
%config /etc/apparmor.d/ejabberdctl
%config /etc/apparmor.d/oidentd
%config /etc/apparmor.d/pgbouncer
%package desktop
Requires: %{name}-abstractions = %{version}
Group: Productivity/Security
#
Summary: Profiles for desktop apps
%description desktop
Profiles for desktop apps
%if %{with apparmor_reload}
%post desktop
%apparmor_reload /etc/apparmor.d/{keepassxc-proxy-chromium,xdg-tools-chromium,google-chrome-stable,google-chrome-beta,vivaldi-snapshot,vivaldi-stable,claws-mail,usr.bin.dino,evolution,usr.sbin.dnscrypt-proxy,chromium,plasma-browser-integration-host,vscode,vscodium,signal-desktop}
%endif
%files desktop
%license LICENSE
%ghost %config(noreplace) /etc/apparmor.d/local/chromium
%ghost %config(noreplace) /etc/apparmor.d/local/claws-mail
%ghost %config(noreplace) /etc/apparmor.d/local/dino
%ghost %config(noreplace) /etc/apparmor.d/local/dnscrypt-proxy
%ghost %config(noreplace) /etc/apparmor.d/local/evolution
%ghost %config(noreplace) /etc/apparmor.d/local/evolution-allowed-apps
%ghost %config(noreplace) /etc/apparmor.d/local/google-chrome-stable
%ghost %config(noreplace) /etc/apparmor.d/local/google-chrome-beta
%ghost %config(noreplace) /etc/apparmor.d/local/opt.google.chrome.chrome
%ghost %config(noreplace) /etc/apparmor.d/local/opt.vivaldi-snapshot.vivaldi-bin
%ghost %config(noreplace) /etc/apparmor.d/local/opt.vivaldi-stable.vivaldi-bin
%ghost %config(noreplace) /etc/apparmor.d/local/opt.vivaldi.vivaldi-bin
%ghost %config(noreplace) /etc/apparmor.d/local/usr.bin.claws-mail
%ghost %config(noreplace) /etc/apparmor.d/local/usr.bin.dino
%ghost %config(noreplace) /etc/apparmor.d/local/usr.bin.evolution
%ghost %config(noreplace) /etc/apparmor.d/local/usr.lib.chromium.chromium
%ghost %config(noreplace) /etc/apparmor.d/local/usr.sbin.dnscrypt-proxy
%ghost %config(noreplace) /etc/apparmor.d/local/vivaldi-stable-bin
%ghost %config(noreplace) /etc/apparmor.d/local/vivaldi-snapshot-bin
%ghost %config(noreplace) /etc/apparmor.d/local/vivaldi-bin
%ghost %config(noreplace) /etc/apparmor.d/local/signal-desktop
%ghost %config(noreplace) /etc/apparmor.d/local/element-desktop
%ghost %config(noreplace) /etc/apparmor.d/local/teamspeak-client
%ghost %config(noreplace) /etc/apparmor.d/local/teams
%ghost %config(noreplace) /etc/apparmor.d/local/vscode
%ghost %config(noreplace) /etc/apparmor.d/local/vscodium
%config /etc/apparmor.d/abstractions/nvidia.d/
%config /etc/apparmor.d/abstractions/google-chrome
%config /etc/apparmor.d/abstractions/evolution
%config /etc/apparmor.d/abstractions/chromium
%config /etc/apparmor.d/abstractions/chromium-app-files
%config /etc/apparmor.d/abstractions/chromium-common
%config /etc/apparmor.d/abstractions/nssdb-user-files
%config /etc/apparmor.d/abstractions/p11-kit-files
%config /etc/apparmor.d/abstractions/keepassxc-proxy-chromium-in-browser
%config /etc/apparmor.d/abstractions/vscodium
%config /etc/apparmor.d/abstractions/vscode
%config /etc/apparmor.d/abstractions/vivaldi
%config /etc/apparmor.d/abstractions/teams
%config /etc/apparmor.d/abstractions/vivaldi-ignore-media-codecs
%config /etc/apparmor.d/abstractions/xdg-tools-chromium-in-browser
%config /etc/apparmor.d/abstractions/chromium-crash-handler
%config /etc/apparmor.d/abstractions/vivaldi-media-codecs
%config /etc/apparmor.d/chromium-shell-wrapper-helpers
%config /etc/apparmor.d/vivaldi-shell-wrapper-helpers
%config /etc/apparmor.d/keepassxc-proxy-chromium
%config /etc/apparmor.d/xdg-tools-chromium
%config /etc/apparmor.d/google-chrome-beta-nordisch
%config /etc/apparmor.d/google-chrome-stable-nordisch
%config /etc/apparmor.d/vivaldi-snapshot-nordisch
%config /etc/apparmor.d/vivaldi-stable-nordisch
%config /etc/apparmor.d/claws-mail
%config /etc/apparmor.d/dino
%config /etc/apparmor.d/evolution-nordisch
%config /etc/apparmor.d/dnscrypt-proxy
%config /etc/apparmor.d/chromium-nordisch
%config /etc/apparmor.d/vscode-nordisch
%config /etc/apparmor.d/vscodium-nordisch
%config /etc/apparmor.d/teamspeak-client
%config /etc/apparmor.d/teams-nordisch
%config /etc/apparmor.d/plasma-browser-integration-host
%config /etc/apparmor.d/abstractions/electron
%config /etc/apparmor.d/abstractions/electron-shell-wrapper
%config /etc/apparmor.d/signal-desktop-nordisch
%config /etc/apparmor.d/element-desktop-nordisch
%if %{with apparmor4}
%dir /etc/apparmor.d/disable/
%config /etc/apparmor.d/disable/chromium
%config /etc/apparmor.d/disable/vivaldi-bin
%config /etc/apparmor.d/disable/signal-desktop
%config /etc/apparmor.d/disable/evolution
%config /etc/apparmor.d/disable/element-desktop
%config /etc/apparmor.d/disable/code
%config /etc/apparmor.d/disable/chrome
%endif
%if %{with apparmor_reload}
%post -n openssh-apparmor
%apparmor_reload /etc/apparmor.d/openssh
%endif
echo "BEFORE you logout ensure that either your desired shell is in /etc/apparmor.d/local/sshd_child or you have an include for <abstractions/all-shells-unconfined> in that file. otherwise you can be locked out of your SSH access."
%files -n openssh-apparmor
%license LICENSE
%config /etc/apparmor.d/openssh
%config /etc/apparmor.d/abstractions/openssh-common
%config /etc/apparmor.d/abstractions/openssh-auth
%ghost %config(noreplace) /etc/apparmor.d/local/sshd
%ghost %config(noreplace) /etc/apparmor.d/local/sshd_child
%changelog