[apparmor] [MERGE] profiles: permit clustered Samba access to CTDB socket and databases

David Disseldorp ddiss at suse.de
Tue Jul 8 14:57:22 UTC 2014


Thanks for the feedback Seth...

On Mon, 7 Jul 2014 11:16:32 -0700, Seth Arnold wrote:

> On Fri, Jul 04, 2014 at 12:24:12PM +0200, David Disseldorp wrote:
> > The attached profile update is required for Samba to operate as part of
> > a cluster alongside CTDB.
> 
> Thanks David, I've got a few questions, as this is the first I've heard of
> CTDB.
> 
> Does samba entirely "own" CTDB? Or are there other potential users for it
> on a cluster? Maybe these privileges are fine and reasonable if Samba owns
> the service entirely but they might be far too broad if CTDB is providing
> service for other tools.

As far as I'm aware, Samba is the only project that directly accesses
the database files under /var/lib/ctdb/. That said, ctdb-devel provides
a means for other application to do the same.

> Is there any need of /etc/ctdb/ and related files?

No, AFAICT they're only used by ctdb. smbd, nmbd and winbindd don't
require access.

Cheers, David



More information about the AppArmor mailing list