[apparmor] [patch] Update Samba profiles for Samba 4.2

Christian Boltz apparmor at cboltz.de
Mon May 18 19:56:20 UTC 2015 

Hello,

Samba 4.2 needs some more permissions for nmbd and winbindd.

To avoid overcomplicated profiles, change abstractions/samba to allow
/var/lib/samba/** rwk, (instead of **.tdb rwk) - this change already
fixes the nmbd profile.

winbindd additionally needs some more write permissions in /etc/samba/
(and also in /var/lib/samba/, which is covered by the abstractions/samba
change)

References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 and
            https://bugzilla.opensuse.org/show_bug.cgi?id=923201


I propose this patch for trunk and 2.9. However, I'd like to keep the
/var/lib/samba/ lines in the winbindd profile in 2.9.x to avoid problems
if for some reason abstractions/samba isn't updated (*.rpmnew etc.)




[ profiles-samba-4.2.diff ]

=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba      2014-07-04 10:09:58 
+0000
+++ profiles/apparmor.d/abstractions/samba      2015-05-18 19:42:58 
+0000
@@ -13,7 +13,7 @@
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,
-  /var/lib/samba/**.tdb rwk,
+  /var/lib/samba/** rwk,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
   /var/log/samba/log.* w,

=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
--- profiles/apparmor.d/usr.sbin.winbindd       2014-04-21 20:10:51 
+0000
+++ profiles/apparmor.d/usr.sbin.winbindd       2015-05-18 19:45:45 
+0000
@@ -10,8 +10,12 @@
   capability ipc_lock,
   capability setuid,
 
+  /etc/samba/netlogon_creds_cli.tdb rwk,
   /etc/samba/passdb.tdb{,.tmp} rwk,
   /etc/samba/secrets.tdb rwk,
+  /etc/samba/smbd.tmp/ rw,
+  /etc/samba/smbd.tmp/msg/ rw,
+  /etc/samba/smbd.tmp/msg/* rw,
   @{PROC}/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
   /tmp/krb5cc_* rwk,
@@ -21,9 +25,6 @@
   /usr/sbin/winbindd mr,
   /var/cache/krb5rcache/* rw,
   /var/cache/samba/*.tdb rwk,
-  /var/lib/samba/smb_krb5/krb5.conf.* rw,
-  /var/lib/samba/smb_tmp_krb5.* rw,
-  /var/lib/samba/winbindd_cache.tdb* rwk,
   /var/log/samba/log.winbindd rw,
   /{var/,}run/samba/winbindd.pid rwk,
   /{var/,}run/samba/winbindd/ rw,



Regards,

Christian Boltz
-- 
Zu schön um nicht gesiggt zu werden ;-)   [Rainer Behrendt in dag°]

More information about the AppArmor mailing list