File packages-system.yaml of Package smar-apparmor-profiles (Revision 3379be46fc8bbb2bcd6850b3ed68800a)
Currently displaying revision 3379be46fc8bbb2bcd6850b3ed68800a , Show latest
823
1
# system folder
2
3
- name: "at-spi2-core"
4
requires:
5
- dbus-1
6
in_directory:
7
"system/dbus":
8
files:
9
- "at-spi-bus-launcher"
10
11
- name: "chrony"
12
in_directory:
13
"system/network":
14
files:
15
- "chronyc"
16
- "chronyd"
17
18
- name: "cronie"
19
in_directory:
20
"system/cron":
21
files:
22
- "cronie"
23
- "cronie.run-crons"
24
- "crontab"
25
extra_directories:
26
- "cronie.d"
27
extra_files:
28
- "cronie.d/README"
29
30
- name: "dbus-1"
31
load_profile_by_systemd:
32
dbus-daemon: dbus-daemon
33
abstractions:
34
- kde
35
- systemd
36
in_directory:
37
"system/dbus":
38
files:
39
- "dbus-daemon"
40
- "dbus-daemon-launch-helper"
41
- "dbus-run-session"
42
43
- name: "deltarpm"
44
files:
45
- "system/applydeltarpm"
46
47
- name: "fish"
48
requires:
49
- less
50
- procps
51
- subversion
52
- systemd
53
- xdm # For /etc/X11/xdm/sys.xsession
54
- git-core
55
- krb5-client
56
- btrfsmaintenance # zypper plugin
57
- libzypp-plugin-appdata # zypper plugin
58
- snapper-zypp-plugin # zypper plugin
59
abstractions:
60
- sddm
61
local:
62
- "fish"
63
- "kde_fish"
64
# NOTE: Doing this differently as directory include loading loads under wrong namespaces.
65
# Only sometimes, not always, which is all more annoying.
66
namespaces:
67
- "common_fish"
68
in_directory:
69
"system/shells":
70
local:
71
- "common_fish"
72
- "fish-sudo"
73
files:
74
- "fish"
75
- "kde_fish"
76
extra_files:
77
- "lib/common_fish"
78
- "lib/fish-sudo"
79
80
- name: "fuse3"
81
in_directory:
82
"system/mount":
83
files:
84
- "fusermount3"
85
extra_directories:
86
- "local/fuse"
87
extra_files:
88
- "local/fuse/fusermount3"
89
90
- name: "glib2-tools"
91
in_directory:
92
"system/glib":
93
files:
94
- "glib-compile-schemas"
95
- "gsettings"
96
97
- name: "glibc"
98
in_directory:
99
"system/glibc":
100
rpm_scriptlets_symlinks:
101
- "iconvconfig"
102
local:
103
- "lib-ld.so"
104
files:
105
- "iconvconfig"
106
- "ldconfig"
107
- "lib-ld.so"
108
109
- name: "glibc-32bit"
110
in_directory:
111
"system/glibc":
112
rpm_scriptlets_symlinks:
113
- "iconvconfig-32"
114
files:
115
- "iconvconfig-32"
116
117
- name: "grub2"
118
recommends:
119
- os-prober # For grub-mkconfig
120
in_directory:
121
"system/bootloader":
122
files:
123
- "grub-editenv"
124
- "grub-install"
125
- "grub-mkconfig"
126
- "grub-probe"
127
- "grub2-once"
128
- "grub2-reboot"
129
130
- name: "os-prober"
131
requires:
132
- "util-linux" # For blkid
133
in_directory:
134
"system/bootloader":
135
files:
136
- "os-prober"
137
138
- name: "power-profiles-daemon"
139
load_profile_by_systemd:
140
power-profiles-daemon: power-profiles-daemon
141
in_directory:
142
"system/dbus":
143
files:
144
- "power-profiles-daemon"
145
146
# NOTE: Not setting systemd to use profile, because two different executables are used in the service.
147
- name: "rsyslog"
148
in_directory:
149
"system":
150
files:
151
- "rsyslogd"
152
153
- name: "rtkit"
154
in_directory:
155
"system/dbus":
156
files:
157
- "rtkit-daemon"
158
159
- name: "smartmontools"
160
in_directory:
161
"system":
162
files:
163
- "smartd"
164
165
- name: "sudo"
166
files:
167
- "system/sudo"
168
169
- name: "tmpwatch"
170
in_directory:
171
"system/cron/scripts":
172
files:
173
- "cron.daily.tmpwatch"
174
175
- name: "util-linux"
176
in_directory:
177
"system":
178
local:
179
- "bin.login"
180
files:
181
- "agetty"
182
- "bin.login"
183
- "su"
184
"system/cli":
185
files:
186
- "dmesg"
187
- "lsns"
188
"system/filesystem":
189
files:
190
- "fsfreeze"
191
"utilities":
192
files:
193
- "blkid"
194
195
- name: "wicked"
196
requires:
197
- kmod
198
in_directory:
199
"system/network/wicked":
200
files:
201
- "ifup"
202
- "wicked"
203
- "wickedd"
204
- "wickedd-nanny"
205
- "wicked.lib.wickedd-auto4"
206
- "wicked.lib.wickedd-dhcp4"
207
- "wicked.lib.wickedd-dhcp6"
208
209
- name: "xinetd"
210
files:
211
- "system/xinetd"
212
213
# admin folder
214
215
- name: "ca-certificates"
216
in_directory:
217
"system/admin":
218
files:
219
- "update-ca-certificates"
220
rpm_scriptlets_symlinks:
221
- "update-ca-certificates"
222
223
- name: "pam-config"
224
in_directory:
225
"system/admin":
226
files:
227
- "pam-config"
228
229
- name: "fai-toolkit"
230
in_directory:
231
"system/admin/management":
232
included_tunables:
233
- "fai-toolkit"
234
files:
235
- "ft"
236
extra_files:
237
- "namespaces.d/ft/"
238
239
# authentication folder
240
241
- name: "sssd"
242
supplements:
243
- sssd-common
244
in_directory:
245
"security/authentication":
246
included_tunables:
247
- "sssd"
248
files:
249
- "sssd"
250
extra_directories:
251
- "namespaces.d/kde_file_dialog.net.d"
252
extra_files:
253
- "namespaces.d/kde_file_dialog.net.d/sssd"
254
255
- name: "sssd-tools"
256
requires:
257
- sssd # For tunables/sssd
258
in_directory:
259
"system/admin/authentication":
260
files:
261
- "sss_cache"
262
263
- name: "yubikey-manager-qt"
264
in_directory:
265
"security/authentication":
266
files:
267
- "ykman-gui"
268
269
# hardware folder
270
271
- name: "iotop"
272
in_directory:
273
"hardware/disk":
274
files:
275
- "iotop"
276
277
- name: "multipath-tools"
278
in_directory:
279
"hardware/disk":
280
files:
281
- "multipath"
282
283
- name: "oyranos"
284
in_directory:
285
"hardware/video/oyranos":
286
files:
287
- "oyranos-compat-gnome"
288
289
- name: "oyranos-monitor"
290
recommends:
291
- oyranos
292
in_directory:
293
"hardware/video/oyranos":
294
files:
295
- "oyranos-monitor"
296
297
- name: "upower"
298
in_directory:
299
"hardware":
300
files:
301
- "upower"
302
- "upowerd"
303
304
- name: "usbutils"
305
in_directory:
306
"hardware/usb":
307
files:
308
- "lsusb"
309
310
# system -> network folder
311
312
- name: "bind-utils"
313
in_directory:
314
"system/network":
315
files:
316
- "delv"
317
- "dig"
318
- "host"
319
320
- name: "cni-plugins"
321
in_directory:
322
"system/network/cni":
323
files:
324
- "cni.dhcp"
325
326
- name: "hyphanet"
327
provides:
328
- "freenetproject"
329
in_directory:
330
"system/network/hyphanet":
331
included_tunables:
332
- "hyphanet"
333
files:
334
- "run.sh"
335
- "wrapper"
336
extra_directories:
337
- "local/hyphanet"
338
extra_files:
339
- "lib/hyphanet/"
340
- "local/hyphanet/plugins"
341
342
- name: "iproute2"
343
in_directory:
344
"system/network/iproute2":
345
files:
346
- "ip"
347
- "ss"
348
349
- name: "nftables"
350
in_directory:
351
"system/network":
352
files:
353
- "nft"
354
355
- name: "nfs-client"
356
suggests:
357
- sssd
358
in_directory:
359
"system/mount":
360
files:
361
- "mount.nfs"
362
"system/network/nfs":
363
files:
364
- "rpc.gssd"
365
- "rpc.lockd"
366
- "rpc.statd"
367
- "rpc.svcgssd"
368
"system/systemd/generators":
369
files:
370
- "nfs-server-generator"
371
372
- name: "whois"
373
in_directory:
374
"system/network":
375
files:
376
- "whois"
377
378
# virtualization folder
379
380
- name: "catatonit"
381
in_directory:
382
"system/virtualization":
383
files:
384
- "catatonit"
385
386
- name: "kvm_stat"
387
in_directory:
388
"system/virtualization":
389
files:
390
- "kvm_stat"
391
392
- name: "libcontainers-common"
393
in_directory:
394
"system/virtualization/containers":
395
included_tunables:
396
- "containers"
397
398
- name: "podman"
399
in_directory:
400
"system/virtualization/podman":
401
files:
402
- "podman"
403
- "podman.quadlet"
404
405
- name: "virtualbox"
406
load_profile_by_systemd:
407
vboxdrv: vboxdrv.sh
408
in_directory:
409
"system/virtualization/virtualbox":
410
files:
411
- "vboxconfig"
412
- "VBoxCreateUSBNode.sh"
413
- "vboxdrv.sh"
414
extra_files:
415
- "lib/udevadm.d/virtualbox"
416
417
# Can’t be enabled until “no new privs” override support is available:
418
# https://bugs.launchpad.net/apparmor/+bug/1908448/comments/2
419
#- name: "bubblewrap"
420
# files:
421
# - "system/virtualization/bwrap"
422
423
# Miscellaneous profiles
424
425
- name: "open-iscsi"
426
in_directory:
427
"system/systemd/generators":
428
files:
429
- "ibft-rule-generator"
430
431
# filesystem folder
432
433
- name: "e2fsprogs"
434
in_directory:
435
"system/filesystem":
436
files:
437
- "chattr"
438
- "fsck.ext3"
439
440
- name: "lvm2"
441
in_directory:
442
"system/filesystem":
443
files:
444
- "lvm"
445
"system/systemd/generators":
446
files:
447
- "lvm2-activation-generator"
448
449
- name: "tarsnap"
450
in_directory:
451
"system/filesystem":
452
files:
453
- "tarsnap"
454
455
- name: "python3-tarsnapper"
456
in_directory:
457
"system/filesystem":
458
files:
459
- "tarsnapper"
460
461
# cli folder
462
463
- name: "acpi"
464
in_directory:
465
"system/cli":
466
files:
467
- "acpi"
468
469
- name: "the_silver_searcher"
470
in_directory:
471
"system/cli":
472
extra_files:
473
- "local/cli/ag"
474
files:
475
- "ag"
476
477
- name: "appstream-glib"
478
files:
479
- "system/cli/usr.bin.appstream-util"
480
481
- name: "bzr"
482
files:
483
- "not_tested/usr.bin.bzr"
484
485
- name: "coreutils"
486
in_directory:
487
"system/cli":
488
files:
489
- "date"
490
- "sleep"
491
492
- name: "dstat"
493
in_directory:
494
"system/cli":
495
files:
496
- "dstat"
497
498
- name: "gpm"
499
files:
500
- "system/cli/gpm"
501
502
- name: "hostname"
503
in_directory:
504
"system/cli":
505
files:
506
- "hostname"
507
508
- name: "htop"
509
local:
510
- "htop"
511
files:
512
- "system/cli/htop"
513
514
- name: "less"
515
files:
516
- "system/cli/less"
517
518
- name: "lsof"
519
in_directory:
520
"system/cli":
521
files:
522
- "lsof"
523
524
- name: "man"
525
abstractions:
526
- "less"
527
in_directory:
528
"system/cli/man-pages":
529
included_tunables:
530
- "man-pages"
531
files:
532
- "apropos"
533
- "man"
534
- "mandb"
535
- "man-db.do_mandb"
536
- "man-db.man"
537
- "whatis"
538
local:
539
- "man"
540
extra_files:
541
- "lib/man-pages"
542
543
- name: "mlocate"
544
load_profile_by_systemd:
545
mlocate: "systemd.service.mlocate"
546
in_directory:
547
"system/cli":
548
files:
549
- "locate"
550
- "updatedb"
551
552
- name: "nmap"
553
in_directory:
554
"system/cli":
555
files:
556
- "nmap"
557
558
- name: "nvme-cli"
559
files:
560
- "system/cli/nvme"
561
562
- name: "p7zip"
563
in_directory:
564
"system/cli":
565
files:
566
- "p7zip"
567
568
- name: "pciutils"
569
in_directory:
570
"system/cli":
571
rpm_scriptlets_symlinks:
572
- "sbin.lspci"
573
files:
574
- "sbin.lspci"
575
576
- name: "procps"
577
in_directory:
578
"system/cli/procps":
579
files:
580
- "bin.ps"
581
- "pgrep"
582
- "sysctl"
583
- "w"
584
585
- name: "procs"
586
in_directory:
587
"system/cli":
588
files:
589
- "procs"
590
591
- name: "psmisc"
592
in_directory:
593
"system/cli":
594
files:
595
- "killall"
596
597
- name: "quilt"
598
included_tunables:
599
- "quilt"
600
in_directory:
601
"system/cli":
602
files:
603
- "quilt"
604
605
- name: "sensors"
606
files:
607
- "system/cli/sensors-detect"
608
609
- name: "mdadm"
610
in_directory:
611
"system/admin":
612
files:
613
- "mdadm"
614
- "mdcheck"
615
616
- name: "shadow"
617
in_directory:
618
"system/admin":
619
files:
620
- "gpasswd"
621
- "groupadd"
622
- "passwd"
623
- "useradd"
624
- "usermod"
625
- "userdel"
626
627
- name: "sysvinit-tools"
628
in_directory:
629
"system/cli":
630
files:
631
- "killall5"
632
#- "pidof"
633
634
# systemd folder
635
636
- name: "systemd"
637
load_profile_by_systemd:
638
system_conditional:
639
systemd-udevd: systemd-udevd
640
user:
641
systemd-tmpfiles-clean: systemd-tmpfiles
642
systemd-tmpfiles-setup: systemd-tmpfiles
643
abstractions:
644
- less
645
- sddm
646
- systemd
647
- vim # For vim-inline-editor.
648
included_tunables:
649
- "systemd"
650
extra_directories:
651
- "local/systemd"
652
in_directory:
653
"system/systemd":
654
ghost: # TODO: Implement this in generate_spec.rb.
655
- "local/systemd/systemd"
656
files:
657
# NOTE:
658
# Since systemd can transfer control to specific AppArmor profiles, and I’m not able
659
# to get transitions to work even with “change_profile -> **”, maybe better to
660
# let systemd to run unconfined and just ensure everything else is transitioned to
661
# their correct profiles.
662
#
663
# See load_profile_by_systemd in this file for how to specify the profile.
664
#- "systemd.pid1"
665
666
# systemd.user seems to work well enough, but...
667
#
668
# TODO: “systemctl daemon-reexec” as root makes
669
# pid1 to use systemd.user profile. This
670
# needs
671
# to be fixed.
672
#
673
# For that reason, I’m not enabling
674
# systemd.user here, because this would get
675
# pulled too much around automatically.
676
#- "systemd.user"
677
678
- "systemd_generators"
679
- "systemd_scripts"
680
- "systemd_shutdown"
681
- "systemd.systemd-journald"
682
- "systemd.systemd-sysv-install"
683
- "user-environment-generators/30-systemd-environment-d-generator"
684
- "3rdparty/systemd.3rdparty.user-environment-generators.60-flatpak"
685
"system/systemd/commands":
686
extra_files:
687
- "local/systemd/busctl"
688
- "local/systemd/systemd-tmpfiles"
689
files:
690
- "busctl"
691
- "journalctl"
692
- "systemctl"
693
- "systemd-cat"
694
- "systemd-detect-virt"
695
- "systemd-run"
696
- "systemd-sysusers"
697
- "systemd-tmpfiles"
698
- "systemd-tty-ask-password-agent"
699
- "timedatectl"
700
"system/systemd/generators":
701
files:
702
- "logind-compat-tasks-max-generator"
703
- "systemd-bless-boot-generator"
704
- "systemd-cryptsetup-generator"
705
- "systemd-debug-generator"
706
- "systemd-fstab-generator"
707
- "systemd-getty-generator"
708
- "systemd-gpt-auto-generator"
709
- "systemd-hibernate-resume-generator"
710
- "systemd-insserv-generator"
711
- "systemd-rc-local-generator"
712
- "systemd-run-generator"
713
- "systemd-system-update-generator"
714
- "systemd-sysv-generator"
715
- "systemd-veritysetup-generator"
716
"system/systemd/subcommands":
717
files:
718
- "systemd_subcommand"
719
- "systemd-binfmt"
720
- "systemd-cryptsetup"
721
- "systemd-hostnamed"
722
- "systemd-localed"
723
- "systemd-logind"
724
- "systemd-random-seed"
725
- "systemd-rfkill"
726
- "systemd-sleep"
727
- "systemd-sysctl"
728
- "systemd-timedated"
729
- "systemd-udevd"
730
- "systemd-update-utmp"
731
- "systemd-user-runtime-dir"
732
- "systemd-user-sessions"
733
"system/systemd/user-generators":
734
files:
735
- "systemd-xdg-autostart-generator"
736
737
- name: "systemd-coredump"
738
requires:
739
- systemd
740
in_directory:
741
"system/systemd/subcommands":
742
files:
743
- "systemd-coredump"
744
745
- name: "zram-generator"
746
requires:
747
- systemd
748
in_directory:
749
"system/systemd/generators":
750
files:
751
- "zram-generator"
752
753
# btrfs folder
754
755
- name: "btrfsprogs"
756
files:
757
- "system/btrfs/btrfs"
758
759
- name: "btrfsmaintenance"
760
requires:
761
- btrfsprogs
762
files:
763
- "suse/zypper/plugins.commit.btrfs-defrag-plugin.sh"
764
- "system/btrfs/btrfsmaintenance.btrfs-balance.sh"
765
- "system/btrfs/btrfsmaintenance.btrfs-scrub.sh"
766
767
# kernel folder
768
769
- name: "dracut"
770
requires:
771
- udev # udevadm profile; dracut requires udev so this is good.
772
- util-linux # blkid profile; dracut requires util-linux also.
773
recommends:
774
- btrfsprogs # btrfs profile. Recommended because if dracut profile is enforced and btrfs is used as filesystem, things will go haywire.
775
suggests:
776
- systemd # For systemd-detect-virt.
777
in_directory:
778
"suse/kernel":
779
files:
780
- "mkinitrd"
781
"system/kernel":
782
files:
783
- "dracut"
784
- "dracut-install"
785
- "lsinitrd"
786
787
- name: "plymouth"
788
in_directory:
789
"system/kernel":
790
files:
791
- "plymouth-set-default-theme"
792
793
- name: "plymouth-dracut"
794
in_directory:
795
"system/kernel":
796
files:
797
- "plymouth-populate-initrd"
798
799
- name: "perl-Bootloader"
800
in_directory:
801
"system/bootloader":
802
files:
803
- "bootloader.bootloader_entry"
804
- "bootloader.grub2.config"
805
"system/kernel":
806
files:
807
- "pbl"
808
809
- name: "utempter"
810
abstractions:
811
- sddm
812
files:
813
- "system/kernel/usr.lib.utempter.utempter"
814
815
# services folder
816
817
- name: "haveged"
818
in_directory:
819
"system/services":
820
files:
821
- "haveged"
822
823
# kate: indent-width 2