[apparmor] openSUSE profile patches - part 2

[Steve Beattie]

On Mon, Aug 08, 2011 at 08:38:25PM +0000, Seth Arnold wrote:
> Please forgive rubbish BlackBerry quoting:

[Eww, your email included a reply to apparmor-bounces at lists.ubuntu.com.]

> --snip--
> > +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
> > @@ -29,6 +29,8 @@
> >    capability kill,
> >    capability setgid,
> >    capability setuid,
> > +  capability audit_control,
> 
> I really, really dislike allowing audit_control. Basically, a confined
> process with it can turn off audit logging by auditd/the audit
> subsystem or manipulate it in such away as to hide audit events. Does
> sshd really fail to start if audit_control is disallowed? I'd honestly
> rather see a deny rule here.
> 
> --snip--
> 
> It might come from a PAM audit module -- and last time I tried to
> rebuild the Ubuntu packages to include audit support I got annoyed
> and wished for an rpm-spec-file style patch management :) anyway,
> if you can shoot me a suggestion how to rebuild the pam package with
> audit bits I'd happily investigate this :)

It looks like you need to both remove the --disable-audit bit in
debian/rules and add libaudit-dev as a dependency in debian/control.
Based on a testbuild here, the packaging picks up pam_tty_audit.so
automatically, as well as linking some other modules against libaudit.

(Also, ensure you build with universe enabled, as audit/libaudit-dev
lives there; I suspect that's why its disabled in the Ubuntu package,
as packages in main by policy cannot have build or installation
dependencies on universe packages.)

[Frothy rant about debian packaging elided.]

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110808/b1d0b60a/attachment.pgp>