|
Bugzilla – Full Text Bug Listing |
| Summary: | Samba error in apparmor profile | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Ulf Lange <mopp> |
| Component: | Samba | Assignee: | Christian Boltz <suse-beta> |
| Status: | RESOLVED FIXED | QA Contact: | The 'Opening Windows to a Wider World' guys <samba-maintainers> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | suse-beta |
| Version: | 13.1 Milestone 4 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | SUSE Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Ulf Lange
2013-10-14 20:21:51 UTC
Looks like the *.dat files were moved around ;-)
Please add the following two lines to /etc/apparmor.d/usr.sbin.smbd
/usr/lib*/samba/pdb/tdbsam.so mr,
/usr/share/samba/codepages/{upcase,lowcase,valid}.dat r,
After "rcapparmor reload", it should work. (If you still see DENIED messages, please tell me ;-)
I already added these two lines, but then you run into the next error:
apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/smbd" name="/var/run/samba/ncalrpc/" pid=2189 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
I added
/{,var/}run/samba/ncalrpc rw,
but still the same error.
By the way rcapparmor reload does not work, you always have to reboot.
(In reply to comment #2) > apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/smbd" > name="/var/run/samba/ncalrpc/" > I added > /{,var/}run/samba/ncalrpc rw, > but still the same error. The log message says it's trying to create a directory (operation="mkdir"), and for directories you have to add a trailing / /{,var/}run/samba/ncalrpc/ rw, should work ;-) BTW: If you get more follow-up DENIED, it might be a good idea to switch the profile to complain mode (which means allowing and logging everything that would be denied, you'll find ALLOWED in the log). To do this, run "aa-complain /usr/sbin/smbd". You can use aa-logprof to update the profile (pasting log lines in bugzilla is also ok). When finished, use "aa-enforce /usr/sbin/smbd" to switch the profile back to enforce mode. > By the way rcapparmor reload does not work, you always have to reboot. Huh? You are the first who reports this, and a quick test indicates that it works here - at least I get the expected lines in /var/log/audit/audit.log, for example type=AVC msg=audit(1381861902.323:271): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient" pid=9380 comm="apparmor_parser" and a quick test (removing some permissions from the bin.ping profile, rcapparmor reload and ping example.com) indicates that it works as expected - with removed permissions, ping failed ;-) Can you please test again, and attach the /var/log/audit/audit.log of a "rcapparmor reload" run if it still fails? BTW: you might also be interested in bug 846054, which includes profile changes for nmbd and winbindd. rcapparmor reload works, it was not a smart idea to backup /etc/apparmor.d/usr.sbin.smbd to /etc/apparmor.d/usr.sbin.smbd.orig.
Next error
apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/smbd" name="/var/run/samba/ncalrpc/np/" pid=15125 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
So I changed /{,var/}run/samba/ncalrpc to
/{,var/}run/samba/ncalrpc/** rw,
These are all the changes I made:
32a33,34
> /usr/lib*/samba/pdb/tdbsam.so mr,
> /usr/share/samba/codepages/{upcase,lowcase,valid}.dat r,
42a45
> /{,var/}run/samba/ncalrpc/** rw,
Now, it seems to work.
(In reply to comment #4) > rcapparmor reload works, it was not a smart idea to backup > /etc/apparmor.d/usr.sbin.smbd to /etc/apparmor.d/usr.sbin.smbd.orig. ;-) > Next error > apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/smbd" > name="/var/run/samba/ncalrpc/np/" pid=15125 comm="smbd" requested_mask="c" > denied_mask="c" fsuid=0 ouid=0 > > So I changed /{,var/}run/samba/ncalrpc to > /{,var/}run/samba/ncalrpc/** rw, That looks quite permissive, but should be ok inside a temp directory that is created by smbd itsself. > These are all the changes I made: > 32a33,34 > > /usr/lib*/samba/pdb/tdbsam.so mr, > > /usr/share/samba/codepages/{upcase,lowcase,valid}.dat r, > 42a45 > > /{,var/}run/samba/ncalrpc/** rw, > > Now, it seems to work. You'll still need /{,var/}run/samba/ncalrpc/ rw, because /foo/** does not include the /foo/ directory itsself. Updated packages are available in security:apparmor - feel free to install and test the apparmor-profiles package from there ;-) This is an autogenerated message for OBS integration: This bug (845867) was mentioned in https://build.opensuse.org/request/show/203528 Factory / apparmor My problem is fixed This is an autogenerated message for OBS integration: This bug (845867) was mentioned in https://build.opensuse.org/request/show/204052 12.2+12.3 / apparmor openSUSE-RU-2013:1588-1: An update that has 7 recommended fixes can now be installed. Category: recommended (low) Bug References: 777471,798183,807104,822277,824577,845867,846054 CVE References: Sources used: openSUSE 12.3 (src): apparmor-2.8.2-3.4.1 openSUSE 12.2 (src): apparmor-2.8.2-2.11.1 |