[apparmor] [patch] update winbindd profile

Christian Boltz apparmor at cboltz.de
Sun Jan 19 16:03:57 UTC 2014 

Hello,

this patch includes several updates for the winbindd profile that the 
openSUSE package collected over the last months.

- add abstractions/samba to usr.sbin.winbindd profile
  (and cleanup things that are included in the abstraction - the cleanup 
  part is not in the openSUSE package)
- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile 
  (bnc#851131)
- updates for samba 4.x and kerberos (bnc#846586#c12 and #c15, 
  bnc#845867, bnc#846054)
- drop always-outdated "Last Modified" comment

References: see the bnc# above (they are bug numbers at 
bugzilla.novell.com)



=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
--- profiles/apparmor.d/usr.sbin.winbindd       2012-11-06 22:19:46
+++ profiles/apparmor.d/usr.sbin.winbindd       2014-01-19 15:56:00
@@ -1,33 +1,32 @@
-# Last Modified: Mon Mar 26 20:28:18 2012
 #include <tunables/global>
 
 /usr/sbin/winbindd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-
-  /etc/samba/dhcp.conf r,
+  #include <abstractions/samba>
+
+  deny capability block_suspend,
+
+  capability ipc_lock,
+  capability setuid,
+
   /etc/samba/passdb.tdb rwk,
   /etc/samba/secrets.tdb rwk,
   @{PROC}/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
+  /tmp/krb5cc_* rwk,
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
+  /usr/lib*/samba/pdb/*.so mr,
   /usr/sbin/winbindd mr,
-  /var/lib/samba/account_policy.tdb rwk,
-  /var/lib/samba/gencache.tdb rwk,
-  /var/lib/samba/gencache_notrans.tdb rwk,
-  /var/lib/samba/group_mapping.tdb rwk,
-  /var/lib/samba/messages.tdb rwk,
-  /var/lib/samba/netsamlogon_cache.tdb rwk,
-  /var/lib/samba/serverid.tdb rwk,
-  /var/lib/samba/winbindd_cache.tdb rwk,
-  /var/lib/samba/winbindd_privileged/pipe w,
-  /var/log/samba/cores/ rw,
-  /var/log/samba/cores/winbindd/ rw,
-  /var/log/samba/cores/winbindd/** rw,
-  /var/log/samba/log.wb-* w,
+  /var/cache/samba/*.tdb rwk,
+  /var/lib/samba/smb_krb5/krb5.conf.* rw,
+  /var/lib/samba/smb_tmp_krb5.* rw,
+  /var/lib/samba/winbindd_cache.tdb* rwk,
   /var/log/samba/log.winbindd rw,
   /{var/,}run/samba/winbindd.pid rwk,
+  /{var/,}run/samba/winbindd/ rw,
+  /{var/,}run/samba/winbindd/pipe w,
 
   # Site-specific additions and overrides. See local/README for 
details.
   #include <local/usr.sbin.winbindd>





Regards,

Christian Boltz
-- 
> auf meinem Rechen Suse 8.2 KDE 3.1.1, [...]
Hey, man kann SuSE inzwischen sogar auf einem Rechen installieren?
Wow, da muss ich morgen mal im Garten vorbei schauen... :-))
[> Bernhard Schimanski und Thomas Hertweck in suse-linux]

More information about the AppArmor mailing list