[apparmor] [patch] Samba profile updates
Christian Boltz
apparmor at cboltz.de
Fri Aug 26 23:00:54 UTC 2011
Hello,
Am Freitag, 26. August 2011 schrieb Steve Beattie:
> On Sun, Aug 21, 2011 at 05:33:06PM +0200, Christian Boltz wrote:
> > From: Jeff Mahoney <jeffm at suse.com>
> > Subject: apparmor-profiles: Add samba config files
> > References: bnc#679182 bnc#666450
> >
> > Signed-off-by: Jeff Mahoney <jeffm at suse.com>
> >
> > - updated to match trunk
> > - added changed path to nmbd profile (/var/cache/samba has moved to
> >
> > /var/lib/samba on (at least) openSUSE 11.4), bnc#679182#c8
> > For backward compability, it also allows /var/spool/samba.
> >
> > - Note: The smbd profile already contains both locations.
> > by Christian Boltz <apparmor at cboltz.de>
> >
> >
> > === modified file 'profiles/apparmor.d/abstractions/samba'
> > --- profiles/apparmor.d/abstractions/samba 2011-07-14 12:57:57
> > +0000 +++ profiles/apparmor.d/abstractions/samba 2011-08-21
> > 15:18:51 +0000 @@ -9,11 +9,11 @@
> >
> > #
> > #
> > -----------------------------------------------------------------
> > -
> >
> > - /etc/samba/smb.conf r,
> > + /etc/samba/* r,
> >
> > /usr/share/samba/*.dat r,
> > /var/lib/samba/**.tdb rwk,
> > /var/log/samba/cores/ rw,
> >
> > - /var/log/samba/cores/* w,
> > + /var/log/samba/cores/* rw,
>
> On Ubuntu, there are subdirs smbd, nmbd, and winbindd. Perhaps either
> per-daemon rules or /var/log/samba/cores/** is appropriate?
Good catch - openSUSE 11.4 also has those subdirectories (I don't see
one for winbind, but that's probably caused by not using samba for a
very long time).
I'd prefer /var/log/samba/cores/** so that we can keep it in the
abstraction.
> (That said, I don't know what the cores subdirs are used for.)
> > /var/log/samba/log.* w,
> > /{,var/}run/samba/*.tdb rw,
> >
> > === modified file 'profiles/apparmor.d/usr.sbin.nmbd'
> > --- profiles/apparmor.d/usr.sbin.nmbd 2011-07-14 12:57:57 +0000
> > +++ profiles/apparmor.d/usr.sbin.nmbd 2011-08-21 15:21:01 +0000
> > @@ -8,10 +8,11 @@
> >
> > capability net_bind_service,
> >
> > /usr/sbin/nmbd mr,
> >
> > - /var/cache/samba/browse.dat* rw,
> > - /var/lib/samba/wins.dat* rw,
> > - /{,var/}run/samba/** rk,
> > + /var/{cache,lib}/samba/browse.dat* rw,
> > + /var/{cache,lib}/samba/wins.dat* rw,
> > + /{,var/}run/samba/** rwk,
> >
> > /{,var/}run/samba/nmbd.pid rw,
>
> Might as well drop the /{,var/}run/samba/nmbd.pid rw, since it's a
> subset of the /{,var/}run/samba/** rwk, rule.
Indeed.
> > + /var/log/samba/cores/ rw,
>
> Should this not go into abstractions/samba?
It is already there ;-) - removed.
> > /var/log/samba/cores/nmbd/ rw,
> > /var/log/samba/cores/nmbd/** rw,
>
> See above comment on the cores/ dir in the samba abstraction.
Indeed - also removed from the nmbd profile.
> > === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> > --- profiles/apparmor.d/usr.sbin.smbd 2011-07-14 12:57:57 +0000
> > +++ profiles/apparmor.d/usr.sbin.smbd 2011-08-21 15:17:56 +0000
> > @@ -20,6 +20,9 @@
> >
> > /etc/printcap r,
> > /proc/*/mounts r,
> > /usr/sbin/smbd mr,
> >
> > + /etc/samba/* rwk,
>
> Err, this covers the following two additions.
>
> > + /etc/samba/passdb.tdb rwk,
> > + /etc/samba/secrets.tdb rwk,
Good catch - looks like Jeff generated the patch by manually adding one
rule after the other ;-) - removed.
That all said: updated patch attached.
Regards,
Christian Boltz
--
Das absolute Highlight war die Erklärung der Unterschiede von Floppy-
und Hard-Disk: Floppy-Disks sind die 5 1/4" Zoll Disketten, weil die
biegsam sind, Hard-Disks sind die 3 1/2" Disketten, weil die ne harte
Hülle haben ;-) [Manfred Tremmel in suse-laptop]
-------------- next part --------------
An embedded message was scrubbed...
From: Jeff Mahoney <jeffm at suse.com>
Subject: apparmor-profiles: Add samba config files
Date: no date
Size: 2222
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110827/37c821b2/attachment.mht>
More information about the AppArmor
mailing list