[Bug 688040] New: apparmor profile denies smbd access to the shared folder
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c0 Summary: apparmor profile denies smbd access to the shared folder Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: Samba AssignedTo: samba-maintainers@SuSE.de ReportedBy: kolobov@iszf.irk.ru QAContact: samba-maintainers@SuSE.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.29 SUSE/12.0.731.0 (KHTML, like Gecko) Chrome/12.0.731.0 Safari/534.29 The related bug is #666450. I updated apparmor from http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open... smbd and nmbd are started, but smbd cannot access the shared directory. audit.log: type=AVC msg=audit(1302928001.423:3198): apparmor="DENIED" operation="open" parent=2686 profile="/usr/sbin/smbd" name="/mnt/d04/pub/" pid=10299 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0 With disabled apparmor everything is ok. smb.conf contains lines: [pub] comment = public inherit acls = Yes path = /mnt/d04/pub read only = No guest ok = Yes create mask = 0664 directory mask = 0775 Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c1
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c2
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c3
--- Comment #3 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c4
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c5
mat JaDoel
I updated apparmor from http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open...
openSUSE 11.4 (32b) with latest update + Tumbleweed repo as of 05/21/2011. Seems the samba need to read /etc/netgroup file, it denied.. here the /var/log/audit/audit.log : type=AVC msg=audit(1305954890.279:29): apparmor="DENIED" operation="open" parent=4692 profile="/usr/sbin/smbd" name="/etc/netgroup" pid=4732 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 The relevant info : rpm -qa | grep samba samba-3.5.8-2.5.i586 rpm -qa | grep apparmor apparmor-docs-2.5.1.r1445-62.11.noarch apparmor-parser-2.5.1.r1445-62.11.i586 apparmor-profiles-2.5.1.r1445-62.11.noarch apparmor-utils-2.5.1.r1445-62.11.noarch libapparmor-devel-2.5.1.r1445-62.11.i586 libapparmor1-2.5.1.r1445-62.11.i586 pam_apparmor-2.5.1.r1445-62.11.i586 patterns-openSUSE-apparmor-11.4-6.9.1.i586 patterns-openSUSE-apparmor_opt-11.4-6.9.1.i586 perl-apparmor-2.5.1.r1445-62.11.i586 yast2-apparmor-2.20.1-1.2.1.noarch rpm -qa | grep kernel kernel-desktop-2.6.38.6-29.1.i586 kernel-xen-2.6.38.6-29.1.i586 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c6
--- Comment #6 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c7
David Disseldorp
Agreed. It would still be worth some bonus points if the samba initscript would auto-generate a profile sniplet with the path of all shares ;-)
Although attractive, this method is far from a silver bullet. As Lars described on the opensuse-factory ML, Samba share definitions can be updated with various actions: process restart, SIGHUP, smbcontrol message and registry change. Acting on internal MSG_SMB_CONF_UPDATED messages may be a less cumbersome option but even then there's still the option of [homes] and other variable dependent share paths. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c8
Christian Boltz
(In reply to comment #2)
Agreed. It would still be worth some bonus points if the samba initscript would auto-generate a profile sniplet with the path of all shares ;-)
Although attractive, this method is far from a silver bullet. As Lars described on the opensuse-factory ML, Samba share definitions can be updated with various actions: process restart, SIGHUP, smbcontrol message and registry change.
Yes, I've seen his mail - however I'd say this is where things get scary ;-) Basically I see two options: a) parse smb.conf to create an apparmor profile sniplet (without the "dynamicly" created shares) b) let Samba itsself update the profile sniplet c) (did I miss another option?) b) might sound like the better solution, but comes with the risk that someone exploits Samba and then raise his privileges. With a) he would at least have to modify smb.conf and re-run the initscript to update the apparmor profile sniplet, which is much more difficult to exploit IMHO. Lars, what is your opinion about this? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c9
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c10
--- Comment #10 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c11
--- Comment #11 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c12
--- Comment #12 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c13
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c14
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c15
Christian Boltz
Suggested fix merged and pushed into network:samba:TESTING.
Please test if that works for you. Without complains we'll merge the required changes tomorrow.
error: Installed (but unpackaged) file(s) found: /usr/share/samba/update-apparmor-samba-profile Please add it to %files ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c16
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c17
--- Comment #17 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c18
--- Comment #18 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c19
--- Comment #19 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c20
Norbert Hornyak
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c21
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c22
--- Comment #22 from Dmitri Kolobov
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c23
--- Comment #23 from Norbert Hornyak
Please switch AppArmor in complain mode and provide which access rights are missing.
Samba from network:samba:TESTING and network:samba:STABLE are currently at the identical code level. This is easy to check via the content of the build-source-timestamp file.
If this is a different issue please close this bug and file a separate one.
I switched smbd to complain mode, but I nothing else seen: [ 4169.986750] type=1400 audit(1328003056.364:237): apparmor="ALLOWED" operation="open" parent=11157 profile="/usr/sbin/smbd" name="/srv/samba-share/" pid=11423 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=1000 samba version in the testing repo: samba-3.6.3-97.1 in the stable: samba-3.6.3-85.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c24
--- Comment #24 from Norbert Hornyak
I updated Apparmor from 'Updates' repo and samba from 'samba:STABLE'.
It works for me. Access to custom directories is allowed.
OpenSUSE 11.4.
From which updates? http://download.opensuse.org/update/11.4/ ? I'am updated too...
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c25
--- Comment #25 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c26
--- Comment #26 from Norbert Hornyak
Ah, you are using 11.4 - that explains it. The autogenerated apparmor sniplet for all shares is included starting with 12.1.
Basically, you have two options: a) manual way: - echo "# replaceme" > /etc/apparmor.d/local/usr.sbin.smbd-shares - add " #include
" to /etc/apparmor.d/usr.sbin.smbd - rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet) b) update your apparmor-profiles package to 2.7.1 from security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor 2.5, but if it works, it's the easiest solution.
a) AppArmor parser error for /etc/apparmor.d/usr.sbin.smbd in /etc/apparmor.d/local/usr.sbin.smbd-shares at line 3: syntax error, unexpected TOK_MODE, expecting TOK_OPEN /etc/apparmor.d/usr.sbin.smbd failed to load b) Same error: [ 6270.775634] type=1400 audit(1328005157.152:357): apparmor="DENIED" operation="open" parent=15544 profile="/usr/sbin/smbd" name="/srv/samba-share/" pid=15640 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=1000 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c27
--- Comment #27 from Christian Boltz
- add " #include
" to /etc/apparmor.d/usr.sbin.smbd - rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet)
AppArmor parser error for /etc/apparmor.d/usr.sbin.smbd in /etc/apparmor.d/local/usr.sbin.smbd-shares at line 3: syntax error, unexpected TOK_MODE, expecting TOK_OPEN
Sounds like you added the include before the opening "/usr/sbin/smbd {" line. You should add it below (inside the {...} block).
b) update your apparmor-profiles package to 2.7.1 from security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor 2.5, but if it works, it's the easiest solution.
Same error: [DENIED message from audit.log]
So the good news is that the 2.7 profiles work with AppArmor 2.5 :-) Did you restart AppArmor and Samba after updating the profiles package? If not, run: rcapparmor restart rcsmb restart -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c28
--- Comment #28 from Norbert Hornyak
Sounds like you added the include before the opening "/usr/sbin/smbd {" line. You should add it below (inside the {...} block).
Yeah, this is my fault. I'll downgraded back to apparmor 2.5, which are in 11.4 oss repo, and with this correction, it seems to be OK...
So the good news is that the 2.7 profiles work with AppArmor 2.5 :-)
No, I'll updated everything (libapparmor, parser, utils...) from factory repo, so all of my apparmor packages was 2.7.
Did you restart AppArmor and Samba after updating the profiles package? If not, run: rcapparmor restart rcsmb restart
Yes, I'll restarted everything, but with apparmor 2.7 doesn't worked. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c29
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c30
--- Comment #30 from Norbert Hornyak
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c31
--- Comment #31 from Christian Boltz
And why not fix in 11.4?
Because (AFAIK) the samba package in 11.4 does not contain the script to generate the AppArmor sniplet - you got it only because you use samba:stable repo. In other words: this would be a bigger change (basically introducing a new feature) in multiple packages. IMHO it's a bit too late for new features in 11.4 ;-) (but if you really want it, you can always do a SR to openSUSE:11.4:Update:Test and point to this bugreport) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c32
--- Comment #32 from Norbert Hornyak
Because (AFAIK) the samba package in 11.4 does not contain the script to generate the AppArmor sniplet
I think, this is the problem... Apparmor is delivered (and installed by default?) with 11.4, have a profile for samba too, but if you install and want to use samba, it isn't working. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c33
--- Comment #33 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c34
--- Comment #34 from Norbert Hornyak
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c35
Norbert Hornyak
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c36
--- Comment #36 from Christian Boltz
So, I checked what is in /etc/apparmor.d/local/usr.sbin.smbd-shares file...
If you use a samba package that updates this file (in other words: a package from the samba:* repo), you can just add an include rule to the smbd profile to include local/usr.sbin.smbd-shares.
Nobody asked me what rules I added. The error caused by a missing rule: /srv/samba-share/ rl
;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com