Hello, the Samba package used by the INVIS server (based on openSUSE) needs some additional Samba permissions for the added ActiveDirectory / Kerberos support.
I propose this patch for 2.9, 2.10, 2.11 and trunk. [ samba.diff ] === modified file ./profiles/apparmor.d/abstractions/samba --- profiles/apparmor.d/abstractions/samba 2017-07-16 21:43:30.714865518 +0200 +++ profiles/apparmor.d/abstractions/samba 2017-08-20 12:17:51.090469752 +0200 @@ -13,6 +13,7 @@ /etc/samba/* r, /usr/lib*/ldb/*.so mr, + /usr/lib*/samba/ldb/*.so mr, /usr/share/samba/*.dat r, /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, /var/cache/samba/ w, === modified file ./profiles/apparmor.d/usr.sbin.smbd --- profiles/apparmor.d/usr.sbin.smbd 2016-05-08 14:04:55.559442000 +0200 +++ profiles/apparmor.d/usr.sbin.smbd 2017-08-20 12:19:07.582053817 +0200 @@ -41,6 +41,7 @@ /var/cache/samba/** rwk, /var/{cache,lib}/samba/printing/printers.tdb mrw, /var/lib/samba/** rwk, + /var/lib/sss/mc/initgroups r, /var/lib/sss/pubconf/kdcinfo.* r, /{,var/}run/dbus/system_bus_socket rw, /{,var/}run/samba/** rk, === modified file ./profiles/apparmor.d/usr.sbin.winbindd --- profiles/apparmor.d/usr.sbin.winbindd 2016-08-03 13:55:52.679521428 +0200 +++ profiles/apparmor.d/usr.sbin.winbindd 2017-08-20 12:20:10.701713358 +0200 @@ -20,6 +20,7 @@ @{PROC}/sys/kernel/core_pattern r, /tmp/.winbindd/ w, /tmp/krb5cc_* rwk, + /usr/lib*/samba/gensec/krb*.so mr, /usr/lib*/samba/idmap/*.so mr, /usr/lib*/samba/nss_info/*.so mr, /usr/lib*/samba/pdb/*.so mr, Regards, Christian Boltz -- My Trash Can is also a shortcut for Amarok... I guess the Amarok team must have had some wild thoughts about the features of their program =) [Benjamin Bach in opensuse]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor