http://bugzilla.opensuse.org/show_bug.cgi?id=1166407
http://bugzilla.opensuse.org/show_bug.cgi?id=1166407#c3
--- Comment #3 from Christian Boltz
For 'usr.sbin.smbd': /dev/urandom rw,
For 'usr.sbin.winbindd': /dev/urandom rw,
I'm a bit surprised why you need write permissions to /dev/urandom. Do smbd and winbindd really write to it? (According to man urandom this is technically possible, but IMHO still surprising.)
/var/cache/samba/ rw,
The write (mkdir) is already allowed in abstractions/samba. That means we'll only need to add read permissions (directory listing). Shouldn't be a serious problem, but I'm still slightly surprised that you need them - AFAIK you are the first one with that requirement. (Wild guess: maybe related to the smb_tmp_krb5.* files in that directory?)
/var/cache/samba/smb_krb5/ rw, /var/cache/samba/smb_krb5/* rwk, /var/cache/samba/smb_tmp_krb5.* rwk,
Looks like everybody uses a different location for the krb5 files, so let's add one more location ;-)
/var/cache/samba/msg.lock/ rw, /var/cache/samba/msg.lock/* rwk,
These two are (mostly) covered in abstractions/samba already: /var/cache/samba/msg.lock/ rwk, /var/cache/samba/msg.lock/[0-9]* rwk, Note that the second rule has [0-9]* instead of * - does this work for you, or do you see filenames not starting with a digit?
(For 'usr.sbin.nmbd', all the changes I needed have since been introduced by on-line updates or upgrades since 15.0).
:-)
Some of these extra requirements may be due to the fact that SerNet uses different default locations during the build environment configuration phase, or enables some options at that time that are not active in the SUSE builds (personal hypothesis).
Yes, possibly - but even if I asked some questions about your profile additions, I'm quite sure that I can get them merged upstream.
Also, please note that the above extra AppArmor profile contents has been determined based on the DENIED "audit.log" entries found on a domain client (i.e. on a client PC joined to the domain). I still need to check whether further changes may be required to cover: - a domain member server - a domain controller
I expect to find out over the coming weeks.
I'm looking forward for your feedback! -- You are receiving this mail because: You are on the CC list for the bug.