[apparmor] [patch] Samba Active Directory authentification

Steve Beattie steve at nxnw.org
Sat Aug 27 01:48:10 UTC 2011 

On Sat, Aug 27, 2011 at 02:22:07AM +0200, Christian Boltz wrote:
> Add permissions needed for Active Directory authentification to Samba
> profiles.
> 
> References: https://bugzilla.novell.com/show_bug.cgi?id=713728
> 
> @John: if Steve ACKs this patch, feel free to commit it yourself to get 
> it into beta2. (I'll go to bed now...)

> Add permissions needed for Active Directory authentification to Samba
> profiles.
> 
> References: https://bugzilla.novell.com/show_bug.cgi?id=713728
> 
> === modified file 'profiles/apparmor.d/usr.sbin.nmbd'
> --- profiles/apparmor.d/usr.sbin.nmbd	2011-08-26 23:52:27 +0000
> +++ profiles/apparmor.d/usr.sbin.nmbd	2011-08-27 00:14:12 +0000
> @@ -7,9 +7,18 @@
>  
>    capability net_bind_service,
>  
> +  /proc/sys/kernel/core_pattern r,

I'm confused by the need for this in both profiles. The proc/sysctl
entry /proc/sys/kernel/core_pattern defines what happens when a
user space app crashes and a core file should be generated; this is
typically either left alone or set to pipe into a debugging utility
like apport or abrtd. It makes no sense to me why turning on Active
Directory auth would cause this to show up or why it would be useful
for a userspace app to know what it's set at, unless the application
wants to try to do debugging of its own.

OTOH, it shouldn't hurt anything for read access to that; I'm just
curious if it's making some behavioral change based on its contents.

> +
>    /usr/sbin/nmbd mr,
> +
>    /var/{cache,lib}/samba/browse.dat* rw,
>    /var/{cache,lib}/samba/wins.dat* rw,
> +  /var/{cache,lib}/samba/smb_krb5/ rw,
> +  /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
> +  /var/{cache,lib}/samba/smb_tmp_krb5.* rw,
> +  /var/{cache,lib}/samba/sync.* rw,
> +  /var/{cache,lib}/samba/unexpected rw,
> +

I was wondering why these showed up under the nmbd profile and not the
smbd one, but smbd is covered by /var/lib/samba/** rwk (and it looks
like from the novell bug report that /var/lib/ was the actual path of
the rejections). So I'm okay with these, ACK.

(Also, as an aside, I'm really curious where the

  type=AVC msg=audit(1314189869.552:93): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=12278 comm="su"

were coming from.)

>    /{,var/}run/samba/** rwk,
>  
>    # Site-specific additions and overrides. See local/README for details.
> 
> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> --- profiles/apparmor.d/usr.sbin.smbd	2011-08-26 23:52:27 +0000
> +++ profiles/apparmor.d/usr.sbin.smbd	2011-08-27 00:11:22 +0000
> @@ -23,6 +23,7 @@
>    /etc/mtab r,
>    /etc/printcap r,
>    /proc/*/mounts r,
> +  /proc/sys/kernel/core_pattern r,
>    /usr/sbin/smbd mr,
>    /etc/samba/* rwk,
>    /var/cache/samba/** rwk,

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110826/581045b6/attachment.pgp>

More information about the AppArmor mailing list