Hi, > > /usr/lib/x86_64-linux-gnu/samba/** rm, > > /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm, > > /var/lib/samba/private/dns.keytab r, > > /var/lib/samba/private/named.conf r, > > /var/lib/samba/private/dns/** rwk, > > /etc/smb.conf r, > > > ...but obviously I'd like someone who knows what they're doing to have a > > look > > first as it's possible those permissions are too loose (like I say, I'm > > still > > a-learnin'). If and when I get an opportunity to test this I'll report back > > as > > to whether it works. > > I'm not familiar with the BIND/Samba integration and I've never > touched the usr.sbin.named profile myself, and I'm not sure who's > upstream for it (surely the maintainers of BIND will know), so just my > 2 cts: > > - Regarding the 2 lines about /usr/lib/..., they are probably already > covered by these lines from /etc/apparmor.d/abstractions/base, > which usr.sbin.named includes: > > /{usr/,}lib/@{multiarch}/** r, > /{usr/,}lib/@{multiarch}/lib*.so* mr, > /{usr/,}lib/@{multiarch}/**/lib*.so* mr, > > It would be nice to actually test whether they're needed. > The above sample rules don't feel crazy so I say go ahead, > experiment with them and find out if which ones are needed > and if they're enough :)
They are indeed covered by the includes. > Thanks for the clarification. In my /etc/apparmor.d/usr.sbin.named however > the includes for abstractions/base and abstractions/nameservice are hashed > out - I certainly didn't comment these out myself. As the top of the file > currently reads: Ever saw a C program ;)? > - Regarding the 3 paths under /var/lib/samba/private: are they common > practice, well documented, or something you happened to come up > with locally? It's default in Debian. > If the former, and assuming they don't break a security boundary > that could be expected by users of BIND and Samba that do *not* > wish to integrate them with each other, then it would probably make > sense to add them to the profile. > As you say, for those not using bind with samba integration I'm not sure how > the config should be handled but I *think* the parts of > /var/lib/samba/private involved are all named-specific so having them > enabled on a permanent basis shouldn't represent a security risk (but again > I'm not an expert). I tend to confirm this view. -nik
signature.asc
Description: PGP signature