What | Removed | Added |
---|---|---|
CC | ddiss@suse.com | |
Flags | needinfo?(ddiss@suse.com) |
(In reply to David Disseldorp from comment #1) > (In reply to David Disseldorp from comment #0) > > > The Apparmor profile should permit winbindd full access to these paths, like > > smbd. > > Hmm, looks like abstractions/samba would be the best place to fix this, as > it's included by usr.sbin.smbd and usr.sbin.winbindd . FYI: abstractions/samba is also included by usr.sbin.nmbd, and the changes you propose are quite permissive (whole directory instead of some individual files). Do you see any security risks in giving nmbd those additional permissions? BTW: You should probably switch your samba profiles into complain mode with aa-complain, run samba for a while and then update the profiles with aa-logprof. That's easier than fixing one permission at a time and running into the next a minute later. Don't forget to switch the profiles back to enforce mode with aa-enforce afterwards ;-)