https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c1 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Jeff Mahoney 2011-04-18 02:42:42 UTC --- As mentioned in bnc#666450, the answer isn't to add specific directories to the profile, it's to add the ability to have local extensions without modifying the profile as-shipped. This isn't a samba issue but a general apparmor one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c3 --- Comment #3 from Lars Müller 2011-04-20 18:30:08 CEST --- Free coffee and cake if we see a submit request implementing the suggestion from comment #2 in a way that it works generic with the current sysvinit approach and with systemd too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c5 mat JaDoel changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matjadoel@yahoo.co.id Platform|x86-64 |32bit --- Comment #5 from mat JaDoel 2011-05-21 05:30:20 UTC --- (In reply to comment #0)

I updated apparmor from http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open...

openSUSE 11.4 (32b) with latest update + Tumbleweed repo as of 05/21/2011. Seems the samba need to read /etc/netgroup file, it denied.. here the /var/log/audit/audit.log : type=AVC msg=audit(1305954890.279:29): apparmor="DENIED" operation="open" parent=4692 profile="/usr/sbin/smbd" name="/etc/netgroup" pid=4732 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 The relevant info : rpm -qa | grep samba samba-3.5.8-2.5.i586 rpm -qa | grep apparmor apparmor-docs-2.5.1.r1445-62.11.noarch apparmor-parser-2.5.1.r1445-62.11.i586 apparmor-profiles-2.5.1.r1445-62.11.noarch apparmor-utils-2.5.1.r1445-62.11.noarch libapparmor-devel-2.5.1.r1445-62.11.i586 libapparmor1-2.5.1.r1445-62.11.i586 pam_apparmor-2.5.1.r1445-62.11.i586 patterns-openSUSE-apparmor-11.4-6.9.1.i586 patterns-openSUSE-apparmor_opt-11.4-6.9.1.i586 perl-apparmor-2.5.1.r1445-62.11.i586 yast2-apparmor-2.20.1-1.2.1.noarch rpm -qa | grep kernel kernel-desktop-2.6.38.6-29.1.i586 kernel-xen-2.6.38.6-29.1.i586 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c7 David Disseldorp changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ddiss@novell.com --- Comment #7 from David Disseldorp 2011-08-17 23:10:50 UTC --- (In reply to comment #2)

Agreed. It would still be worth some bonus points if the samba initscript would auto-generate a profile sniplet with the path of all shares ;-)

Although attractive, this method is far from a silver bullet. As Lars described on the opensuse-factory ML, Samba share definitions can be updated with various actions: process restart, SIGHUP, smbcontrol message and registry change. Acting on internal MSG_SMB_CONF_UPDATED messages may be a less cumbersome option but even then there's still the option of [homes] and other variable dependent share paths. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c9 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |leezer3@gmail.com --- Comment #9 from Christian Boltz 2011-08-26 14:40:15 CEST --- *** Bug 714089 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=714089 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c10 --- Comment #10 from Christian Boltz 2011-10-11 13:21:26 CEST --- Based on the discussion on the ML, here's a script to generate an apparmor profile sniplet that includes all shares listed in smb.conf, with the exception of - variables (anything containing a % sign) - "/" - if someone is insane enough to share his complete filesystem, he'll have to modify the apparmor profile himself. testparm turned out to be quite useful :-) echo '# autogenerated at samba start - do not edit!' testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[ \t]*path[ \t]*=[ \t]*\(.*\)$§\1/ rk,\n\1/** rwkl,§p' ("[ \t]" means space and tab - ignore the linebreak above) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c12 --- Comment #12 from Christian Boltz 2011-10-17 22:21:11 CEST --- Created an attachment (id=457113) --> (http://bugzilla.novell.com/attachment.cgi?id=457113) Patch for the smb initscript This patch for the smb initscript adds calls to the update-apparmor-samba-profile script on (re)start and reload. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c Lars Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Platform|32bit |All AssignedTo|samba-maintainers@SuSE.de |lmuelle@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c15 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #15 from Christian Boltz 2011-10-18 22:01:18 CEST --- (In reply to comment #14)

Suggested fix merged and pushed into network:samba:TESTING.

Please test if that works for you. Without complains we'll merge the required changes tomorrow.

error: Installed (but unpackaged) file(s) found: /usr/share/samba/update-apparmor-samba-profile Please add it to %files ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c17 --- Comment #17 from Bernhard Wiedemann 2011-10-19 01:00:21 CEST --- This is an autogenerated message for OBS integration: This bug (688040) was mentioned in https://build.opensuse.org/request/show/88635 Factory / samba -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c19 --- Comment #19 from Christian Boltz 2011-10-19 13:02:04 CEST --- SR 88695 (for the apparmor package) will include the autogenerated profile sniplet in the smbd profile. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c21 Lars Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |kolobov@iszf.irk.ru --- Comment #21 from Lars Müller 2012-01-30 23:32:45 CET --- Please switch AppArmor in complain mode and provide which access rights are missing. Samba from network:samba:TESTING and network:samba:STABLE are currently at the identical code level. This is easy to check via the content of the build-source-timestamp file. If this is a different issue please close this bug and file a separate one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c23 --- Comment #23 from Norbert Hornyak 2012-01-31 09:49:49 UTC --- (In reply to comment #21)

Please switch AppArmor in complain mode and provide which access rights are missing.

Samba from network:samba:TESTING and network:samba:STABLE are currently at the identical code level. This is easy to check via the content of the build-source-timestamp file.

If this is a different issue please close this bug and file a separate one.

I switched smbd to complain mode, but I nothing else seen: [ 4169.986750] type=1400 audit(1328003056.364:237): apparmor="ALLOWED" operation="open" parent=11157 profile="/usr/sbin/smbd" name="/srv/samba-share/" pid=11423 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=1000 samba version in the testing repo: samba-3.6.3-97.1 in the stable: samba-3.6.3-85.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c25 --- Comment #25 from Christian Boltz 2012-01-31 11:07:50 CET --- Ah, you are using 11.4 - that explains it. The autogenerated apparmor sniplet for all shares is included starting with 12.1. Basically, you have two options: a) manual way: - echo "# replaceme" > /etc/apparmor.d/local/usr.sbin.smbd-shares - add " #include " to /etc/apparmor.d/usr.sbin.smbd - rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet) b) update your apparmor-profiles package to 2.7.1 from security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor 2.5, but if it works, it's the easiest solution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c27 --- Comment #27 from Christian Boltz 2012-01-31 23:56:59 CET --- (In reply to comment #26)

...

- add " #include " to /etc/apparmor.d/usr.sbin.smbd - rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet)

AppArmor parser error for /etc/apparmor.d/usr.sbin.smbd in /etc/apparmor.d/local/usr.sbin.smbd-shares at line 3: syntax error, unexpected TOK_MODE, expecting TOK_OPEN

Sounds like you added the include before the opening "/usr/sbin/smbd {" line. You should add it below (inside the {...} block).

...

b) update your apparmor-profiles package to 2.7.1 from security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor 2.5, but if it works, it's the easiest solution.

Same error: [DENIED message from audit.log]

So the good news is that the 2.7 profiles work with AppArmor 2.5 :-) Did you restart AppArmor and Samba after updating the profiles package? If not, run: rcapparmor restart rcsmb restart -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c29 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|kolobov@iszf.irk.ru | Resolution| |FIXED --- Comment #29 from Christian Boltz 2012-02-01 17:37:07 CET --- Thanks for your feedback. OK, then this bug stays "fixed" for >= 12.1 - and "wontfix" for 11.4 (with comment #25 method a) as workaround). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c31 --- Comment #31 from Christian Boltz 2012-02-01 20:38:08 CET --- (In reply to comment #30)

And why not fix in 11.4?

Because (AFAIK) the samba package in 11.4 does not contain the script to generate the AppArmor sniplet - you got it only because you use samba:stable repo. In other words: this would be a bigger change (basically introducing a new feature) in multiple packages. IMHO it's a bit too late for new features in 11.4 ;-) (but if you really want it, you can always do a SR to openSUSE:11.4:Update:Test and point to this bugreport) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c33 --- Comment #33 from Jeff Mahoney 2012-02-01 21:00:00 UTC --- For 11.4 (and every release prior), this is the case. It will also be true of *any* file serving daemon, simply because you can export anything on the file system through them. That is fundamentally opposite the premise of a tool like AppArmor which wants to restrict access to the file system. The Samba profile has *always* needed to be modified. It's just that in 12.1 we've included a tool to do it automatically. For prior releases, it would be a post-release enhancement, which is against the openSUSE update policies. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c35 Norbert Hornyak changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |INVALID --- Comment #35 from Norbert Hornyak 2012-02-01 21:38:45 UTC --- Ehm :) So, I checked what is in /etc/apparmor.d/local/usr.sbin.smbd-shares file... Nobody asked me what rules I added. The error caused by a missing rule: /srv/samba-share/ rl I thought that, the /srv/samba-share/** contains the permission for these directory too. I'm now downgraded samba and apparmor to 11.4 oss repo version, then I fix the rules, and everything works fine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|INVALID |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.