[apparmor] [patch] smbd profile + smbldap-useradd

Steve Beattie steve at nxnw.org
Tue Jan 10 09:58:19 UTC 2012 

On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote:
> when using smbldap-useradd using this smb.conf entry
>     add machine script = /usr/sbin/smbldap-useradd -t 5 -w "%u"
> smbd obviously needs x permissions for smbldap-useradd.
> 
> The patch also adds a new profile for usr.sbin.smbldap-useradd (based on 
> the audit.log from alexis Pellicier).
> 
> Additionally, I moved the "/etc/samba/* rwk" rule next to the other 
> /etc-related rules in the smbd profile.
> 
> References: https://bugzilla.novell.com/show_bug.cgi?id=738041
> 
> I also nominate this patch for the 2.7 branch - even if it adds a new 
> profile, it's "just" a bugfix (and I doubt someone calls smbldap-useradd 
> manually).

Acked-By: Steve Beattie <sbeattie at ubuntu.com> for trunk and 2.7 with
the changes made in response to the feedback from Kees.

Thanks!

> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> --- profiles/apparmor.d/usr.sbin.smbd	2011-12-29 16:34:01 +0000
> +++ profiles/apparmor.d/usr.sbin.smbd	2012-01-02 21:56:10 +0000
> @@ -23,11 +23,12 @@
>    /etc/mtab r,
>    /etc/netgroup r,
>    /etc/printcap r,
> +  /etc/samba/* rwk,
>    /proc/*/mounts r,
>    /proc/sys/kernel/core_pattern r,
>    /usr/lib*/samba/vfs/*.so mr,
>    /usr/sbin/smbd mr,
> -  /etc/samba/* rwk,
> +  /usr/sbin/smbldap-useradd Px,
>    /var/cache/samba/** rwk,
>    /var/cache/samba/printing/printers.tdb mrw,
>    /var/lib/samba/** rwk,
> 
> === added file 'profiles/apparmor.d/usr.sbin.smbldap-useradd'
> --- profiles/apparmor.d/usr.sbin.smbldap-useradd	1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.sbin.smbldap-useradd	2012-01-04 18:34:43 +0000
> @@ -0,0 +1,39 @@
> +# Last Modified: Tue Jan  3 00:17:40 2012
> +#include <tunables/global>
> +
> +/usr/sbin/smbldap-useradd {
> +  #include <abstractions/base>
> +  #include <abstractions/bash>
> +  #include <abstractions/nameservice>
> +  #include <abstractions/perl>
> +
> +  /dev/tty rw,
> +  /bin/bash ix,
> +  /etc/init.d/nscd Cx,
> +  /etc/shadow r,
> +  /etc/smbldap-tools/smbldap.conf r,
> +  /etc/smbldap-tools/smbldap_bind.conf r,
> +  /usr/sbin/smbldap-useradd r,
> +  /usr/sbin/smbldap_tools.pm r,
> +  /var/log/samba/log.smbd w,
> +
> +  # Site-specific additions and overrides. See local/README for details.
> +  #include <local/usr.sbin.smbldap-useradd>
> +
> +  profile /etc/init.d/nscd {
> +    #include <abstractions/base>
> +    #include <abstractions/nameservice>
> +
> +    capability sys_ptrace,
> +
> +    /bin/bash r,
> +    /bin/mountpoint rix,
> +    /bin/systemctl rix,
> +    /dev/tty rw,
> +    /etc/init.d/nscd r,
> +    /etc/rc.status r,
> +    /proc/filesystems r,
> +    /proc/meminfo r,
> +
> +  }
> +}
> 

> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor


-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120110/2123a728/attachment.pgp>

More information about the AppArmor mailing list