[apparmor] [patch] Samba Active Directory authentification

Christian Boltz apparmor at cboltz.de
Sat Aug 27 11:49:16 UTC 2011 

Helllo,

Am Samstag, 27. August 2011 schrieb Steve Beattie:
> On Sat, Aug 27, 2011 at 02:22:07AM +0200, Christian Boltz wrote:
> > Add permissions needed for Active Directory authentification to
> > Samba profiles.
> > 
> > References: https://bugzilla.novell.com/show_bug.cgi?id=713728
> > 
> > @John: if Steve ACKs this patch, feel free to commit it yourself to
> > get it into beta2. (I'll go to bed now...)

> > === modified file 'profiles/apparmor.d/usr.sbin.nmbd'
> > --- profiles/apparmor.d/usr.sbin.nmbd	2011-08-26 23:52:27 +0000
> > +++ profiles/apparmor.d/usr.sbin.nmbd	2011-08-27 00:14:12 +0000
> > @@ -7,9 +7,18 @@
> > 
> >    capability net_bind_service,
> > 
> > +  /proc/sys/kernel/core_pattern r,
> 
> I'm confused by the need for this in both profiles. The proc/sysctl
> entry /proc/sys/kernel/core_pattern defines what happens when a
> user space app crashes and a core file should be generated; this is
> typically either left alone or set to pipe into a debugging utility
> like apport or abrtd. It makes no sense to me why turning on Active
> Directory auth would cause this to show up or why it would be useful

Maybe you need active directory to crash samba? ;-)

> for a userspace app to know what it's set at, unless the application
> wants to try to do debugging of its own.
> 
> OTOH, it shouldn't hurt anything for read access to that; I'm just
> curious if it's making some behavioral change based on its contents.

That's something you should ask the samba developers if you are really 
interested ;-)

> > +
> > 
> >    /usr/sbin/nmbd mr,
> > 
> > +
> > 
> >    /var/{cache,lib}/samba/browse.dat* rw,
> >    /var/{cache,lib}/samba/wins.dat* rw,
> > 
> > +  /var/{cache,lib}/samba/smb_krb5/ rw,
> > +  /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
> > +  /var/{cache,lib}/samba/smb_tmp_krb5.* rw,
> > +  /var/{cache,lib}/samba/sync.* rw,
> > +  /var/{cache,lib}/samba/unexpected rw,
> > +
> 
> I was wondering why these showed up under the nmbd profile and not
> the smbd one, but smbd is covered by /var/lib/samba/** rwk (and it
> looks like from the novell bug report that /var/lib/ was the actual
> path of the rejections). So I'm okay with these, ACK.

Just to be sure: was this a formal ACK for the whole patch?
If I don't hear/read the opposite, I'll commit it tonight (= in 6 
hours).

> (Also, as an aside, I'm really curious where the
> 
>   type=AVC msg=audit(1314189869.552:93): apparmor="DENIED"
> operation="change_hat" info="unconfined" error=-1 pid=12278
> comm="su"
> 
> were coming from.)

Indeed, that looks interesting[tm].


Regards,

Christian Boltz
-- 
Hochleistungswebspace
Das sind public-html-Verzeichnisse, die jeden Morgen zwanzig Liegestütze
machen, und mit Testosteron vollgepumpt sind.  [Markus Schaber]

More information about the AppArmor mailing list