[apparmor] [patch] Samba profile updates for ActiveDirectory / Kerberos

Christian Boltz apparmor at cboltz.de
Tue Aug 22 11:09:47 UTC 2017 

Hello,

the Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.


I propose this patch for 2.9, 2.10, 2.11 and trunk.


[ samba.diff ]

=== modified file ./profiles/apparmor.d/abstractions/samba
--- profiles/apparmor.d/abstractions/samba      2017-07-16 21:43:30.714865518 +0200
+++ profiles/apparmor.d/abstractions/samba      2017-08-20 12:17:51.090469752 +0200
@@ -13,6 +13,7 @@
 
   /etc/samba/* r,
   /usr/lib*/ldb/*.so mr,
+  /usr/lib*/samba/ldb/*.so mr,
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,
=== modified file ./profiles/apparmor.d/usr.sbin.smbd
--- profiles/apparmor.d/usr.sbin.smbd   2016-05-08 14:04:55.559442000 +0200
+++ profiles/apparmor.d/usr.sbin.smbd   2017-08-20 12:19:07.582053817 +0200
@@ -41,6 +41,7 @@
   /var/cache/samba/** rwk,
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,
+  /var/lib/sss/mc/initgroups r,
   /var/lib/sss/pubconf/kdcinfo.* r,
   /{,var/}run/dbus/system_bus_socket rw,
   /{,var/}run/samba/** rk,
=== modified file ./profiles/apparmor.d/usr.sbin.winbindd
--- profiles/apparmor.d/usr.sbin.winbindd       2016-08-03 13:55:52.679521428 +0200
+++ profiles/apparmor.d/usr.sbin.winbindd       2017-08-20 12:20:10.701713358 +0200
@@ -20,6 +20,7 @@
   @{PROC}/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
   /tmp/krb5cc_* rwk,
+  /usr/lib*/samba/gensec/krb*.so mr,
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,



Regards,

Christian Boltz
-- 
My Trash Can is also a shortcut for Amarok... I guess the Amarok team
must have had some wild thoughts about the features of their program =)
[Benjamin Bach in opensuse]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170822/27daf6fe/attachment.pgp>

More information about the AppArmor mailing list