[apparmor] [patch] Update Samba profiles for Samba 4.2

Seth Arnold seth.arnold at canonical.com
Mon May 18 21:23:26 UTC 2015 

On Mon, May 18, 2015 at 09:56:20PM +0200, Christian Boltz wrote:
> Hello,
> 
> Samba 4.2 needs some more permissions for nmbd and winbindd.
> 
> To avoid overcomplicated profiles, change abstractions/samba to allow
> /var/lib/samba/** rwk, (instead of **.tdb rwk) - this change already
> fixes the nmbd profile.
> 
> winbindd additionally needs some more write permissions in /etc/samba/
> (and also in /var/lib/samba/, which is covered by the abstractions/samba
> change)
> 
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 and
>             https://bugzilla.opensuse.org/show_bug.cgi?id=923201
> 
> 
> I propose this patch for trunk and 2.9. However, I'd like to keep the
> /var/lib/samba/ lines in the winbindd profile in 2.9.x to avoid problems
> if for some reason abstractions/samba isn't updated (*.rpmnew etc.)
> 
> 

Acked-by: Seth Arnold <seth.arnold at canonical.com>

acked on both ideas, I like keeping the extraneous lines in 2.9 but
removing them from trunk.

Thanks

> 
> 
> [ profiles-samba-4.2.diff ]
> 
> === modified file 'profiles/apparmor.d/abstractions/samba'
> --- profiles/apparmor.d/abstractions/samba      2014-07-04 10:09:58 
> +0000
> +++ profiles/apparmor.d/abstractions/samba      2015-05-18 19:42:58 
> +0000
> @@ -13,7 +13,7 @@
>    /usr/share/samba/*.dat r,
>    /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
>    /var/cache/samba/ w,
> -  /var/lib/samba/**.tdb rwk,
> +  /var/lib/samba/** rwk,
>    /var/log/samba/cores/ rw,
>    /var/log/samba/cores/** rw,
>    /var/log/samba/log.* w,
> 
> === modified file 'profiles/apparmor.d/usr.sbin.winbindd'
> --- profiles/apparmor.d/usr.sbin.winbindd       2014-04-21 20:10:51 
> +0000
> +++ profiles/apparmor.d/usr.sbin.winbindd       2015-05-18 19:45:45 
> +0000
> @@ -10,8 +10,12 @@
>    capability ipc_lock,
>    capability setuid,
>  
> +  /etc/samba/netlogon_creds_cli.tdb rwk,
>    /etc/samba/passdb.tdb{,.tmp} rwk,
>    /etc/samba/secrets.tdb rwk,
> +  /etc/samba/smbd.tmp/ rw,
> +  /etc/samba/smbd.tmp/msg/ rw,
> +  /etc/samba/smbd.tmp/msg/* rw,
>    @{PROC}/sys/kernel/core_pattern r,
>    /tmp/.winbindd/ w,
>    /tmp/krb5cc_* rwk,
> @@ -21,9 +25,6 @@
>    /usr/sbin/winbindd mr,
>    /var/cache/krb5rcache/* rw,
>    /var/cache/samba/*.tdb rwk,
> -  /var/lib/samba/smb_krb5/krb5.conf.* rw,
> -  /var/lib/samba/smb_tmp_krb5.* rw,
> -  /var/lib/samba/winbindd_cache.tdb* rwk,
>    /var/log/samba/log.winbindd rw,
>    /{var/,}run/samba/winbindd.pid rwk,
>    /{var/,}run/samba/winbindd/ rw,
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150518/8c62663f/attachment.pgp>

More information about the AppArmor mailing list