Hello, this patch includes several updates for the winbindd profile that the openSUSE package collected over the last months.
- add abstractions/samba to usr.sbin.winbindd profile (and cleanup things that are included in the abstraction - the cleanup part is not in the openSUSE package) - add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131) - updates for samba 4.x and kerberos (bnc#846586#c12 and #c15, bnc#845867, bnc#846054) - drop always-outdated "Last Modified" comment References: see the bnc# above (they are bug numbers at bugzilla.novell.com) === modified file 'profiles/apparmor.d/usr.sbin.winbindd' --- profiles/apparmor.d/usr.sbin.winbindd 2012-11-06 22:19:46 +++ profiles/apparmor.d/usr.sbin.winbindd 2014-01-19 15:56:00 @@ -1,33 +1,32 @@ -# Last Modified: Mon Mar 26 20:28:18 2012 #include <tunables/global> /usr/sbin/winbindd { #include <abstractions/base> #include <abstractions/nameservice> - - /etc/samba/dhcp.conf r, + #include <abstractions/samba> + + deny capability block_suspend, + + capability ipc_lock, + capability setuid, + /etc/samba/passdb.tdb rwk, /etc/samba/secrets.tdb rwk, @{PROC}/sys/kernel/core_pattern r, /tmp/.winbindd/ w, + /tmp/krb5cc_* rwk, /usr/lib*/samba/idmap/*.so mr, /usr/lib*/samba/nss_info/*.so mr, + /usr/lib*/samba/pdb/*.so mr, /usr/sbin/winbindd mr, - /var/lib/samba/account_policy.tdb rwk, - /var/lib/samba/gencache.tdb rwk, - /var/lib/samba/gencache_notrans.tdb rwk, - /var/lib/samba/group_mapping.tdb rwk, - /var/lib/samba/messages.tdb rwk, - /var/lib/samba/netsamlogon_cache.tdb rwk, - /var/lib/samba/serverid.tdb rwk, - /var/lib/samba/winbindd_cache.tdb rwk, - /var/lib/samba/winbindd_privileged/pipe w, - /var/log/samba/cores/ rw, - /var/log/samba/cores/winbindd/ rw, - /var/log/samba/cores/winbindd/** rw, - /var/log/samba/log.wb-* w, + /var/cache/samba/*.tdb rwk, + /var/lib/samba/smb_krb5/krb5.conf.* rw, + /var/lib/samba/smb_tmp_krb5.* rw, + /var/lib/samba/winbindd_cache.tdb* rwk, /var/log/samba/log.winbindd rw, /{var/,}run/samba/winbindd.pid rwk, + /{var/,}run/samba/winbindd/ rw, + /{var/,}run/samba/winbindd/pipe w, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.winbindd> Regards, Christian Boltz -- > auf meinem Rechen Suse 8.2 KDE 3.1.1, [...] Hey, man kann SuSE inzwischen sogar auf einem Rechen installieren? Wow, da muss ich morgen mal im Garten vorbei schauen... :-)) [> Bernhard Schimanski und Thomas Hertweck in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor