[apparmor] Fwd: Re: [Evergreen] samba security update - badlock and friends

Christian Boltz apparmor at cboltz.de
Thu Apr 14 12:11:28 UTC 2016


I have a *very good* reason to get 2.9.3 released NOW...

TL;DR: openSUSE 13.2 needs an update because of the Samba security 
update, and it would be a shame to do an update with "just" the samba 
profile now, and push another update with 2.9.3 next week ;-)

Note: most of the forwarded mail is about openSUSE 13.1 (which includes 
2.8.4), the relevant part for 13.2 is in the last paragraph.

----------  Weitergeleitete Nachricht  ----------

Betreff: Re: [Evergreen] samba security update - badlock and friends
Datum: Donnerstag, 14. April 2016, 08:48:13 CEST
Von: Michal Kubecek <mike AT mk-sys.cz>
An: evergreen at ds9.rosenauer.org

On Thu, Apr 14, 2016 at 07:25:51AM +0200, Michal Kubecek wrote:
> On Thu, Apr 14, 2016 at 12:31:48AM +0200, Christian Boltz wrote:
> > Am Mittwoch, 13. April 2016, 22:04:37 CEST schrieb Michal Kubecek:
> > > 
> > > I did some (very) basic testing and found only one issue: to start
> > > nmbd from 4.2.4 package on a 13.1 system with AppArmor, these need 
> > > be added to its profile:
> > > 
> > >   /var/{cache,lib}/samba/lck/ w,
> > >   /var/{cache,lib}/samba/lck/* wk,
> > >   /var/{cache,lib}/samba/msg/ w,
> > >   /var/{cache,lib}/samba/msg/* w,
> > 
> > Are those files and directories in /var/cache/samba/ or 
> > /var/lib/samba/ ?
> > I'm asking because /var/lib/samba/** is covered by newer upstream 
> > profiles (via abstractions/samba), while /var/cache/samba/ isn't.
> Only /var/lib/samba paths were needed, I just adjusted the rules to
> mach the others.
> I will check if the same problem exists in SLE12 GA and openSUSE 13.2
> which also upgraded from 4.1.x to 4.2.4 (and to exactly the same
> package). I it does, I'll file a bug.

SLE12 GA has apparmor-profiles 2.8.2 but it already has

  /var/lib/samba/** rwk,

in abstractions/samba so it's OK. On the other hand, 13.2 has newer
apparmor-profiles 2.9.1 but still without the general rule and as I
checked now, it suffers from the same problem as 13.1. The update hasn't
been released yet so I added a comment to the openSUSE:Maintenance:4961
release request #389541 (https://build.opensuse.org/request/show/

                                                          Michal Kubecek



Christian Boltz
Übrigens: Wenn man feststellen will, wie leer man ist: Einfach ein paar
Flaschen Whiskey oder so nehmen und so lange in dem Mund schütten, bis
man "voll" ist. Das Ergebnis kann man dann bei mir melden. :-))
[Konrad Neitzel in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160414/3413ac70/attachment.pgp>

More information about the AppArmor mailing list