[apparmor] [MERGE] profiles: permit clustered Samba access to CTDB socket and databases

Seth Arnold seth.arnold at canonical.com
Mon Jul 7 18:16:32 UTC 2014

On Fri, Jul 04, 2014 at 12:24:12PM +0200, David Disseldorp wrote:
> The attached profile update is required for Samba to operate as part of
> a cluster alongside CTDB.

Thanks David, I've got a few questions, as this is the first I've heard of

Does samba entirely "own" CTDB? Or are there other potential users for it
on a cluster? Maybe these privileges are fine and reasonable if Samba owns
the service entirely but they might be far too broad if CTDB is providing
service for other tools.

Is there any need of /etc/ctdb/ and related files?

> === modified file 'profiles/apparmor.d/abstractions/samba'
> --- profiles/apparmor.d/abstractions/samba	2013-12-23 21:15:47 +0000
> +++ profiles/apparmor.d/abstractions/samba	2014-07-04 10:09:58 +0000
> @@ -20,3 +20,5 @@
>    /{,var/}run/samba/ w,
>    /{,var/}run/samba/*.tdb rw,
> +  # required for clustering
> +  /var/lib/ctdb/** rwk,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140707/ead0fc01/attachment.pgp>

More information about the AppArmor mailing list