Hello,
this is an updated version (actually v4) of my patches for smbd and nmbd
which I sent some weeks ago ("[patch] updated usr.sbin.smbd profile"),
and is already included in the packages for the just released
openSUSE 13.1.
The patch includes changes needed for Samba 4.x, which also includes
some small abstraction updates.
References: https://bugzilla.novell.com/show_bug.cgi?id=845867
References: https://bugzilla.novell.com/show_bug.cgi?id=846054
I propose the patch for 2.8 and trunk (the patch is for 2.8, but it
should apply to trunk without problems)
Note: I'm intentionally not including the winbindd profile in this mail.
I received another bugreport for it today, so I'll wait some days and
will then hopefully be able to send a more complete patch ;-)
=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba 2011-08-26 23:52:27 +0000
+++ profiles/apparmor.d/abstractions/samba 2013-10-15 20:36:33 +0000
@@ -11,6 +11,7 @@
/etc/samba/* r,
/usr/share/samba/*.dat r,
+ /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/lib/samba/**.tdb rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
=== modified file 'profiles/apparmor.d/abstractions/kerberosclient'
--- profiles/apparmor.d/abstractions/kerberosclient.orig 2011-03-23
20:24:11.000000000 +0100
+++ profiles/apparmor.d/abstractions/kerberosclient 2013-11-02
15:04:27.267448981 +0100
@@ -20,7 +20,7 @@
/usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
/usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
- /etc/krb5.keytab r,
+ /etc/krb5.keytab rk,
/etc/krb5.conf r,
# config files found via strings on libs
=== modified file 'profiles/apparmor.d/usr.sbin.nmbd'
--- profiles/apparmor.d/usr.sbin.nmbd 2011-08-27 18:50:42 +0000
+++ profiles/apparmor.d/usr.sbin.nmbd 2013-10-20 11:54:48 +0000
@@ -11,7 +11,9 @@
/usr/sbin/nmbd mr,
+ /var/cache/samba/gencache.tdb rwk,
/var/{cache,lib}/samba/browse.dat* rw,
+ /var/{cache,lib}/samba/gencache.dat rw,
/var/{cache,lib}/samba/wins.dat* rw,
/var/{cache,lib}/samba/smb_krb5/ rw,
/var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2012-01-10 18:06:24 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2013-10-15 20:36:33 +0000
@@ -29,16 +29,21 @@
/usr/lib*/samba/vfs/*.so mr,
/usr/lib*/samba/charset/*.so mr,
/usr/lib*/samba/auth/script.so mr,
- /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
+ /usr/lib*/samba/pdb/*.so mr,
+ /usr/lib*/samba/{lowercase,lowcase,upcase,valid}.dat r, # [1]
/usr/sbin/smbd mr,
/usr/sbin/smbldap-useradd Px,
/var/cache/samba/** rwk,
/var/cache/samba/printing/printers.tdb mrw,
/var/lib/samba/** rwk,
/var/lib/samba/printers/** rw,
+ /var/lib/sss/mc/passwd r,
+ /var/lib/sss/pubconf/kdcinfo.* r,
/{,var/}run/cups/cups.sock rw,
/{,var/}run/dbus/system_bus_socket rw,
/{,var/}run/samba/** rk,
+ /{,var/}run/samba/ncalrpc/ rw,
+ /{,var/}run/samba/ncalrpc/** rw,
/{,var/}run/samba/smbd.pid rw,
/var/log/samba/cores/smbd/ rw,
/var/log/samba/cores/smbd/** rw,
[1] for trunk, this line will be
+ /usr/lib*/samba/{lowcase,upcase,valid}.dat r, # [1]
because (quoting myself from Oct 15th):
Also fix /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
which should be "lowcase" instead of "lowercase".
Google didn't find any samba-related "lowercase.dat" and my ARCHIVES.gz
archive shows that openSUSE 11.4 already used "lowcase.dat", so removing
"lowercase" shouldn't cause any problems.
Nevertheless, I'll not remove "lowercase" in the 2.8 branch to be on the
safe side.
Regards,
Christian Boltz
--
> > .domain.intern smpt:[mx.domain.intern]
> Du meinst sicher smtp und nicht smpt. :-)
Du kennst den "Senseless Mailinglist Protocol Typo" nicht? ;-)
[> Michael Neufing und (>>) Gregor Hermens in postfixbuch-users]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
