[apparmor] Let's enable AppArmor by default (why not?)
Mathieu Parent
math.parent at gmail.com
Mon Mar 19 20:49:15 UTC 2018
Hi,
Samba maintainer here ...
2018-03-19 15:10 GMT+01:00 Marvin Renich <mrvn at renich.org>:
[...]
> As a side note, my laptop runs testing, and I allowed apparmor to be
> enabled when that change hit testing. The only issue I have noticed so
> far is that smbd would not have access to some (intentionally public,
> not in /home) shares if it were in enforce mode, rather than complain
> mode. If I were not aware of apparmor, and if smbd were in enforce
> mode, I would have had a difficult time tracking this down.
>
> Is there a way that an app (e.g. smbd) whose file access requirements
> change dynamically through admin and user configuration can at least
> inspect its own apparmor profile and give the user a clue that the admin
> must update the profile? For Samba, perhaps at least a comment in
> /etc/samba/smb.conf at "Share Definitions" giving a reminder that if any
> LSM is enabled, the LSM config may need to be updated to reflect changes
> to shares.
I'm balanced about this as AppArmor logs denied access.
Merge request [1] welcome, either for debian/smb.conf or debian/README.Debian.
[1] https://salsa.debian.org/samba-team/samba/merge_requests
Regards
--
Mathieu Parent
More information about the AppArmor
mailing list