Hello, the Samba package used by the INVIS server (based on openSUSE) needs some additional Samba permissions for the added ActiveDirectory / Kerberos support.
I propose this patch for 2.9, 2.10, 2.11 and trunk.
[ samba.diff ]
=== modified file ./profiles/apparmor.d/abstractions/samba
--- profiles/apparmor.d/abstractions/samba 2017-07-16 21:43:30.714865518
+0200
+++ profiles/apparmor.d/abstractions/samba 2017-08-20 12:17:51.090469752
+0200
@@ -13,6 +13,7 @@
/etc/samba/* r,
/usr/lib*/ldb/*.so mr,
+ /usr/lib*/samba/ldb/*.so mr,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/samba/ w,
=== modified file ./profiles/apparmor.d/usr.sbin.smbd
--- profiles/apparmor.d/usr.sbin.smbd 2016-05-08 14:04:55.559442000 +0200
+++ profiles/apparmor.d/usr.sbin.smbd 2017-08-20 12:19:07.582053817 +0200
@@ -41,6 +41,7 @@
/var/cache/samba/** rwk,
/var/{cache,lib}/samba/printing/printers.tdb mrw,
/var/lib/samba/** rwk,
+ /var/lib/sss/mc/initgroups r,
/var/lib/sss/pubconf/kdcinfo.* r,
/{,var/}run/dbus/system_bus_socket rw,
/{,var/}run/samba/** rk,
=== modified file ./profiles/apparmor.d/usr.sbin.winbindd
--- profiles/apparmor.d/usr.sbin.winbindd 2016-08-03 13:55:52.679521428
+0200
+++ profiles/apparmor.d/usr.sbin.winbindd 2017-08-20 12:20:10.701713358
+0200
@@ -20,6 +20,7 @@
@{PROC}/sys/kernel/core_pattern r,
/tmp/.winbindd/ w,
/tmp/krb5cc_* rwk,
+ /usr/lib*/samba/gensec/krb*.so mr,
/usr/lib*/samba/idmap/*.so mr,
/usr/lib*/samba/nss_info/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
Regards,
Christian Boltz
--
My Trash Can is also a shortcut for Amarok... I guess the Amarok team
must have had some wild thoughts about the features of their program =)
[Benjamin Bach in opensuse]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
