[apparmor] [patch] Samba profile updates

Steve Beattie steve at nxnw.org
Fri Aug 26 23:23:04 UTC 2011 

On Sat, Aug 27, 2011 at 01:00:54AM +0200, Christian Boltz wrote:
> Good catch - openSUSE 11.4 also has those subdirectories (I don't see 
> one for winbind, but that's probably caused by not using samba for a 
> very long time).
> 
> I'd prefer /var/log/samba/cores/** so that we can keep it in the 
> abstraction.

Fine by me.

> From: Jeff Mahoney <jeffm at suse.com>
> Subject: apparmor-profiles: Add samba config files
> 
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
> 
> - updated to match trunk
> - added changed path to nmbd profile (/var/cache/samba has moved to 
>   /var/lib/samba on (at least) openSUSE 11.4), bnc#679182#c8
>   For backward compability, it also allows /var/spool/samba.
> - Note: The smbd profile already contains both locations.
> by Christian Boltz <apparmor at cboltz.de>
> 
> updated according to the comments from Steve Beattie
> by Christian Boltz <apparmor at cboltz.de>

I'm still a little dubious of the need for '/etc/samba/* rwk' for
smbd as I prefer to try restrict configuration area writes but I
understand that may not possible in this case.

Acked-By: Steve Beattie <sbeattie at ubuntu.com>

Thanks!

> === modified file 'profiles/apparmor.d/abstractions/samba'
> --- profiles/apparmor.d/abstractions/samba	2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/abstractions/samba	2011-08-26 22:50:10 +0000
> @@ -9,11 +9,11 @@
>  #
>  # ------------------------------------------------------------------
>  
> -  /etc/samba/smb.conf r,
> +  /etc/samba/* r,
>    /usr/share/samba/*.dat r,
>    /var/lib/samba/**.tdb rwk,
>    /var/log/samba/cores/ rw,
> -  /var/log/samba/cores/* w,
> +  /var/log/samba/cores/** rw,
>    /var/log/samba/log.* w,
>    /{,var/}run/samba/*.tdb rw,
>  
> 
> === modified file 'profiles/apparmor.d/usr.sbin.nmbd'
> --- profiles/apparmor.d/usr.sbin.nmbd	2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/usr.sbin.nmbd	2011-08-26 22:54:09 +0000
> @@ -8,12 +8,9 @@
>    capability net_bind_service,
>  
>    /usr/sbin/nmbd mr,
> -  /var/cache/samba/browse.dat* rw,
> -  /var/lib/samba/wins.dat* rw,
> -  /{,var/}run/samba/** rk,
> -  /{,var/}run/samba/nmbd.pid rw,
> -  /var/log/samba/cores/nmbd/ rw,
> -  /var/log/samba/cores/nmbd/** rw,
> +  /var/{cache,lib}/samba/browse.dat* rw,
> +  /var/{cache,lib}/samba/wins.dat* rw,
> +  /{,var/}run/samba/** rwk,
>  
>    # Site-specific additions and overrides. See local/README for details.
>    #include <local/usr.sbin.nmbd>
> 
> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> --- profiles/apparmor.d/usr.sbin.smbd	2011-08-26 21:19:30 +0000
> +++ profiles/apparmor.d/usr.sbin.smbd	2011-08-26 22:57:22 +0000
> @@ -24,6 +24,7 @@
>    /etc/printcap r,
>    /proc/*/mounts r,
>    /usr/sbin/smbd mr,
> +  /etc/samba/* rwk,
>    /var/cache/samba/** rwk,
>    /var/cache/samba/printing/printers.tdb mrw,
>    /var/lib/samba/** rwk,
> 

> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor


-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110826/e0a84946/attachment.pgp>

More information about the AppArmor mailing list