[Bug 738041] New: apparmor DENIED /etc/netgroup for smbd profile
https://bugzilla.novell.com/show_bug.cgi?id=738041 https://bugzilla.novell.com/show_bug.cgi?id=738041#c0 Summary: apparmor DENIED /etc/netgroup for smbd profile Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Samba AssignedTo: samba-maintainers@SuSE.de ReportedBy: pellice@yahoo.fr QAContact: samba-maintainers@SuSE.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0 I'had problem to join samba domain with XP client with apparmor enable and a lot of DENIED in the audit.log: "apparmor="DENIED" operation="open" parent=1592 profile="/usr/sbin/smbd" name="/etc/netgroup" pid=14082 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0" In Bug #688040 it is said "smbd cannot access the shared directory." and a fix is provide but access to /etc/netgroup still DENIED I add /etc/netgroup r, in usr.sbin.smbd and the problem disappear. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c1
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c2
--- Comment #2 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c3
--- Comment #3 from alexis Pellicier
Thanks for the detailed report!
I submitted a patch upstream. Since you already fixed the profile yourself, may I assume you don't need an updated package?
No need for an update package for me. Maybe somebody else will appreciate it through. Thank for the fix. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c4
--- Comment #4 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c5
--- Comment #5 from alexis Pellicier
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c6
--- Comment #6 from alexis Pellicier
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c7
--- Comment #7 from Christian Boltz
I guess that if someone use ldapsmb and n o smbldap-tools he should use something like /usr/sbin/ldapsmb rux,
I 'm not sure this perms are the most secure or not maybe some apparmor guru can check this.
/etc/netgroup r,
No problem IMHO.
/bin/bash ix,
Even if I'm somewhat surprised why this is needed, your log sniplet from comment #5 shows that you need it for some reason. (Maybe smbd starts a bash first to start the perl script?) And "ix" for bash shouldn't be a problem.
/usr/sbin/smbldap-useradd rux,
"rux" is not a good idea because it runs smbldap-useradd unconfined (without any AppArmor protection) and additionally doesn't cleanup the environment variables. Better use "Px" (to use a separate profile which is always used when someone calls smbldap-useradd) or "Cx" to make it a child profile ("smbldap-useradd called by smbd"). I don't know if/how smbldap-useradd elsewhere, so I can't recommend which way is better - however the general rule of thumb is that a separate profile might be better because it also covers usage of smbldap-useradd if not called by smbd. Your report sounds like you are editing the profile manually. While this is of course possible, there are tools to make it easier ;-) Short HowTo: - optional: run "old /var/log/audit.log ; rcauditd restart" to start with a clean audit.log - remove the line for smbldap-useradd from your smbd profile - run "aa-complain usr.sbin.smbd" to switch the profile to learning mode (this will also reload the profile) - run samba for a while, and make sure it calls smbldap-useradd - run "aa-logprof" to update the profile (and enter "p" or "c" when it asks how to execute smbldap-useradd) - and finally switch back to enforce mode with "aa-enforce usr.sbin.smbd" Then tell me the needed additions to the smbd profile, and attach the profile for smbldap-useradd. If possible, also attach your audit.log to this bugreport in case I want to check some details (for example, if a list of filenames or a * makes more sense in the profile). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c8
--- Comment #8 from alexis Pellicier
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c9
Christian Boltz
Sorry for the delay I was on holidays. Happy new year :-)
Happy new year :-)
The oly change in smbd profile:
/usr/sbin/smbldap-useradd Px,
Looks good.
Your profile for smbldap-useradd used some "interesting" abstractions (for
example apache2-common, which doesn't really have something to do with samba
;-) Therefore I decided to create the profile myself based on your logs. I
also split off the /etc/init.d/nscd call into a child profile. The result:
# Last Modified: Tue Jan 3 00:17:40 2012
#include
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c10
--- Comment #10 from alexis Pellicier
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c11
--- Comment #11 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c12
--- Comment #12 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c13
--- Comment #13 from alexis Pellicier
Hmm, maybe(!) that's caused by the fact that /etc/init.d/nscd is a shell script - OTOH that shouldn't be of interest for the calling process.
Please add the following line to the smbldap-useradd profile (in the main section, not in the nscd child profile): /bin/bash ix,
Does this keep your audit.log clean?
Yes !! Thanks a lot -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c14
Christian Boltz
(In reply to comment #11)
Hmm, maybe(!) that's caused by the fact that /etc/init.d/nscd is a shell script - OTOH that shouldn't be of interest for the calling process.
I asked about this upstream, and the answer was "in general yes, but..." ;-) If a perl system() call uses output redirection (or contains other shell metacharacters, see "perldoc -f system" for details) - which smbldap-useradd does, for example my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1"; then perl executes this using /bin/sh (which is a symlink to /bin/bash) /bin/sh -c /etc/init.d/nscd status >/dev/null 2>&1 In other words: it's correct that the profile needs "/bin/bash ix" - and OTOH it isn't surprising that it worked even without that - it doesn't break too much if the profile doesn't allow to check the nscd status ;-)
/bin/bash ix,
Does this keep your audit.log clean?
Yes !!
Thanks for checking this. I submitted the profile for review upstream. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c15
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c16
--- Comment #16 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c17
--- Comment #17 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c18
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c19
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c20
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c21
--- Comment #21 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c22
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c23
--- Comment #23 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c24
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c25
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=738041
https://bugzilla.novell.com/show_bug.cgi?id=738041#c26
--- Comment #26 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com