[apparmor] [patch] updated usr.sbin.smbd profile

Wed Oct 16 17:18:35 UTC 2013

Hello,

looks like the patch needs one additional line (inserted below), see 
https://bugzilla.novell.com/show_bug.cgi?id=845867#c4

Am Dienstag, 15. Oktober 2013 schrieb Christian Boltz:
> Am Dienstag, 15. Oktober 2013 schrieb Christian Boltz:
> > some samba *.dat files were moved, and a new library needs to be
> > loaded by smbd.
> 
> It turns out more changes are needed for samba, also in the nmbd and
> winbindd profile. The reason is probably a major version update -
> openSUSE 13.1 ships samba 4.1, while 12.3 came with samba 3.6.
> 
> Also fix /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
> which should be "lowcase" instead of "lowercase".
> Google didn't find any samba-related "lowercase.dat" and my
> ARCHIVES.gz archive shows that openSUSE 11.4 already used
> "lowcase.dat", so removing "lowercase" shouldn't cause any problems.
> Nevertheless, I'll not remove "lowercase" in the 2.8 branch to be on
> the safe side.
> 
> References: https://bugzilla.novell.com/show_bug.cgi?id=845867
> References: https://bugzilla.novell.com/show_bug.cgi?id=846054
> 
> I propose this patch for trunk and the 2.8 branch, with the little
> difference for "lowercase" mentioned above.
> 
> I also noticed that the winbindd profile does not use
> abstractions/samba (which would simplify the profile a lot), but
> that's something for another patch ;-)
> 
> 
> === modified file 'profiles/apparmor.d/abstractions/samba'
> --- profiles/apparmor.d/abstractions/samba      2011-08-26 23:52:27
> +0000 +++ profiles/apparmor.d/abstractions/samba      2013-10-15
> 19:54:07 +0000 @@ -11,6 +11,7 @@
> 
>    /etc/samba/* r,
>    /usr/share/samba/*.dat r,
> +  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
>    /var/lib/samba/**.tdb rwk,
>    /var/log/samba/cores/ rw,
>    /var/log/samba/cores/** rw,
> 
> === modified file 'profiles/apparmor.d/usr.sbin.nmbd'
> --- profiles/apparmor.d/usr.sbin.nmbd   2013-01-02 23:31:01 +0000
> +++ profiles/apparmor.d/usr.sbin.nmbd   2013-10-15 19:54:34 +0000
> @@ -12,6 +12,7 @@
>    /usr/sbin/nmbd mr,
> 
>    /var/{cache,lib}/samba/browse.dat* rw,
> +  /var/{cache,lib}/samba/gencache.dat rw,
>    /var/{cache,lib}/samba/wins.dat* rw,
>    /var/{cache,lib}/samba/smb_krb5/ rw,
>    /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
> 
> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> --- profiles/apparmor.d/usr.sbin.smbd   2013-10-09 20:42:41 +0000
> +++ profiles/apparmor.d/usr.sbin.smbd   2013-10-15 19:54:27 +0000
> @@ -29,7 +29,8 @@
>    /usr/lib*/samba/vfs/*.so mr,
>    /usr/lib*/samba/charset/*.so mr,
>    /usr/lib*/samba/auth/script.so mr,
> -  /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
> +  /usr/lib*/samba/pdb/*.so mr,
> +  /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
>    /usr/sbin/smbd mr,
>    /usr/sbin/smbldap-useradd Px,
>    /var/cache/samba/** rwk,
> @@ -38,6 +39,7 @@
>    /{,var/}run/cups/cups.sock rw,
>    /{,var/}run/dbus/system_bus_socket rw,
>    /{,var/}run/samba/** rk,
> +  /{,var/}run/samba/ncalrpc/ rw,

+  /{,var/}run/samba/ncalrpc/** rw,

>    /{,var/}run/samba/smbd.pid rw,
>    /var/spool/samba/** rw,
> 
> 
> === modified file 'profiles/apparmor.d/usr.sbin.winbindd'
> --- profiles/apparmor.d/usr.sbin.winbindd       2012-11-06 22:19:46
> +0000 +++ profiles/apparmor.d/usr.sbin.winbindd       2013-10-15
> 19:56:45 +0000 @@ -1,4 +1,3 @@
> -# Last Modified: Mon Mar 26 20:28:18 2012
>  #include <tunables/global>
> 
>  /usr/sbin/winbindd {
> @@ -13,6 +12,8 @@
>    /usr/lib*/samba/idmap/*.so mr,
>    /usr/lib*/samba/nss_info/*.so mr,
>    /usr/sbin/winbindd mr,
> +  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
> +  /var/cache/samba/netsamlogon_cache.tdb rw,
>    /var/lib/samba/account_policy.tdb rwk,
>    /var/lib/samba/gencache.tdb rwk,
>    /var/lib/samba/gencache_notrans.tdb rwk,
> @@ -20,7 +21,7 @@
>    /var/lib/samba/messages.tdb rwk,
>    /var/lib/samba/netsamlogon_cache.tdb rwk,
>    /var/lib/samba/serverid.tdb rwk,
> -  /var/lib/samba/winbindd_cache.tdb rwk,
> +  /var/lib/samba/winbindd_cache.tdb* rwk,
>    /var/lib/samba/winbindd_privileged/pipe w,
>    /var/log/samba/cores/ rw,
>    /var/log/samba/cores/winbindd/ rw,
> @@ -28,6 +29,7 @@
>    /var/log/samba/log.wb-* w,
>    /var/log/samba/log.winbindd rw,
>    /{var/,}run/samba/winbindd.pid rwk,
> +  /{var/,}run/samba/winbindd/ rw,
> 
>    # Site-specific additions and overrides. See local/README for
> details. #include <local/usr.sbin.winbindd>


Regards,

Christian Boltz
-- 
Die Borg sind einfach eine Allegorie auf M$: gross, toll und voller
endloser Featuritis - aber wenn es ernst wird, sterben sie an einer
Schutzverletzung.                         [Andreas Pohlke in drsst]