[apparmor] [patch] updated usr.sbin.smbd profile

Christian Boltz apparmor at cboltz.de
Tue Oct 15 20:16:43 UTC 2013 

Hello,

Am Dienstag, 15. Oktober 2013 schrieb Christian Boltz:
> some samba *.dat files were moved, and a new library needs to be
> loaded by smbd.

It turns out more changes are needed for samba, also in the nmbd and 
winbindd profile. The reason is probably a major version update - 
openSUSE 13.1 ships samba 4.1, while 12.3 came with samba 3.6.

Also fix /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
which should be "lowcase" instead of "lowercase".
Google didn't find any samba-related "lowercase.dat" and my ARCHIVES.gz 
archive shows that openSUSE 11.4 already used "lowcase.dat", so removing
"lowercase" shouldn't cause any problems. 
Nevertheless, I'll not remove "lowercase" in the 2.8 branch to be on the 
safe side.

References: https://bugzilla.novell.com/show_bug.cgi?id=845867
References: https://bugzilla.novell.com/show_bug.cgi?id=846054

I propose this patch for trunk and the 2.8 branch, with the little 
difference for "lowercase" mentioned above.

I also noticed that the winbindd profile does not use abstractions/samba
(which would simplify the profile a lot), but that's something for another 
patch ;-)


=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba      2011-08-26 23:52:27 +0000
+++ profiles/apparmor.d/abstractions/samba      2013-10-15 19:54:07 +0000
@@ -11,6 +11,7 @@
 
   /etc/samba/* r,
   /usr/share/samba/*.dat r,
+  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/lib/samba/**.tdb rwk,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,

=== modified file 'profiles/apparmor.d/usr.sbin.nmbd'
--- profiles/apparmor.d/usr.sbin.nmbd   2013-01-02 23:31:01 +0000
+++ profiles/apparmor.d/usr.sbin.nmbd   2013-10-15 19:54:34 +0000
@@ -12,6 +12,7 @@
   /usr/sbin/nmbd mr,
 
   /var/{cache,lib}/samba/browse.dat* rw,
+  /var/{cache,lib}/samba/gencache.dat rw,
   /var/{cache,lib}/samba/wins.dat* rw,
   /var/{cache,lib}/samba/smb_krb5/ rw,
   /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,

=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd   2013-10-09 20:42:41 +0000
+++ profiles/apparmor.d/usr.sbin.smbd   2013-10-15 19:54:27 +0000
@@ -29,7 +29,8 @@
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
   /usr/lib*/samba/auth/script.so mr,
-  /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
+  /usr/lib*/samba/pdb/*.so mr,
+  /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
   /usr/sbin/smbd mr,
   /usr/sbin/smbldap-useradd Px,
   /var/cache/samba/** rwk,
@@ -38,6 +39,7 @@
   /{,var/}run/cups/cups.sock rw,
   /{,var/}run/dbus/system_bus_socket rw,
   /{,var/}run/samba/** rk,
+  /{,var/}run/samba/ncalrpc/ rw,
   /{,var/}run/samba/smbd.pid rw,
   /var/spool/samba/** rw,
 

=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
--- profiles/apparmor.d/usr.sbin.winbindd       2012-11-06 22:19:46 +0000
+++ profiles/apparmor.d/usr.sbin.winbindd       2013-10-15 19:56:45 +0000
@@ -1,4 +1,3 @@
-# Last Modified: Mon Mar 26 20:28:18 2012
 #include <tunables/global>
 
 /usr/sbin/winbindd {
@@ -13,6 +12,8 @@
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/sbin/winbindd mr,
+  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+  /var/cache/samba/netsamlogon_cache.tdb rw,
   /var/lib/samba/account_policy.tdb rwk,
   /var/lib/samba/gencache.tdb rwk,
   /var/lib/samba/gencache_notrans.tdb rwk,
@@ -20,7 +21,7 @@
   /var/lib/samba/messages.tdb rwk,
   /var/lib/samba/netsamlogon_cache.tdb rwk,
   /var/lib/samba/serverid.tdb rwk,
-  /var/lib/samba/winbindd_cache.tdb rwk,
+  /var/lib/samba/winbindd_cache.tdb* rwk,
   /var/lib/samba/winbindd_privileged/pipe w,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/winbindd/ rw,
@@ -28,6 +29,7 @@
   /var/log/samba/log.wb-* w,
   /var/log/samba/log.winbindd rw,
   /{var/,}run/samba/winbindd.pid rwk,
+  /{var/,}run/samba/winbindd/ rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.winbindd>





Regards,

Christian Boltz
-- 
Wenn man bedenkt, dass die Leute vor 150 Jahren ihre E-Mails
noch bei Kerzenlicht geschrieben haben...
[Marianne Kestler, de.admin.net-abuse.mail, 6.5.2000]

More information about the AppArmor mailing list