[apparmor] [patch] Update nmbd profile and abstractions/samba

Christian Boltz Tue, 13 Dec 2016 07:56:13 -0800

Hello,

nmbd needs some additional permissions:
- k for /var/cache/samba/lck/* (via abstractions/samba)
- rw for /var/cache/samba/msg/ (the log only mentioned r, but that
  directory needs to be created first)
- w for /var/cache/samba/msg/* (the log didn't indicate any read access)


Reported by FLD on IRC, audit log on https://paste.debian.net/902010/


I propose this patch for trunk, 2.10 and 2.9


[ nmbd.diff ]

=== modified file ./profiles/apparmor.d/abstractions/samba
--- profiles/apparmor.d/abstractions/samba      2016-11-18 21:29:24.889846000 
+0100
+++ profiles/apparmor.d/abstractions/samba      2016-12-13 16:43:22.073679262 
+0100
@@ -16,7 +16,7 @@
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,
-  /var/cache/samba/lck/* rw,
+  /var/cache/samba/lck/* rwk,
   /var/lib/samba/** rwk,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
=== modified file ./profiles/apparmor.d/usr.sbin.nmbd
--- profiles/apparmor.d/usr.sbin.nmbd   2014-09-10 22:00:36.616976000 +0200
+++ profiles/apparmor.d/usr.sbin.nmbd   2016-12-13 16:44:31.269362676 +0100
@@ -20,6 +20,8 @@
   /var/{cache,lib}/samba/smb_tmp_krb5.* rw,
   /var/{cache,lib}/samba/sync.* rw,
   /var/{cache,lib}/samba/unexpected rw,
+  /var/cache/samba/msg/ rw,
+  /var/cache/samba/msg/* w,
 
   /{,var/}run/samba/** rwk,




Regards,

Christian Boltz
-- 
> Please see the duplicated mail as kmail's vote to make
> thunderbird default ;-(
And some people say that Kmail is good for nothing. :-))
[> Stephan Kulow and Ken Schneider in opensuse-factory]

signature.asc
Description: This is a digitally signed message part.

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [patch] Update nmbd profile and abstractions/samba

Reply via email to