Comment # 3 on bug 1166407 from
(In reply to Philippe Andersson from comment #2)
> For 'usr.sbin.smbd':
>   /dev/urandom rw,
> 
> For 'usr.sbin.winbindd':
>   /dev/urandom rw,

I'm a bit surprised why you need write permissions to /dev/urandom. Do smbd and
winbindd really write to it? (According to man urandom this is technically
possible, but IMHO still surprising.)


>   /var/cache/samba/ rw,

The write (mkdir) is already allowed in abstractions/samba.

That means we'll only need to add read permissions (directory listing).
Shouldn't be a serious problem, but I'm still slightly surprised that you need
them - AFAIK you are the first one with that requirement. (Wild guess: maybe
related to the smb_tmp_krb5.* files in that directory?)

>   /var/cache/samba/smb_krb5/ rw,
>   /var/cache/samba/smb_krb5/* rwk,
>   /var/cache/samba/smb_tmp_krb5.* rwk,

Looks like everybody uses a different location for the krb5 files, so let's add
one more location ;-)

>   /var/cache/samba/msg.lock/ rw,
>   /var/cache/samba/msg.lock/* rwk,

These two are (mostly) covered in abstractions/samba already:
  /var/cache/samba/msg.lock/ rwk,
  /var/cache/samba/msg.lock/[0-9]* rwk,

Note that the second rule has [0-9]* instead of * - does this work for you, or
do you see filenames not starting with a digit?


> (For 'usr.sbin.nmbd', all the changes I needed have since been introduced by
> on-line updates or upgrades since 15.0).

:-)

> Some of these extra requirements may be due to the fact that SerNet uses
> different default locations during the build environment configuration
> phase, or enables some options at that time that are not active in the SUSE
> builds (personal hypothesis).

Yes, possibly - but even if I asked some questions about your profile
additions, I'm quite sure that I can get them merged upstream.

> Also, please note that the above extra AppArmor profile contents has been
> determined based on the DENIED "audit.log" entries found on a domain client
> (i.e. on a client PC joined to the domain). I still need to check whether
> further changes may be required to cover:
> - a domain member server
> - a domain controller
> 
> I expect to find out over the coming weeks.

I'm looking forward for your feedback!


You are receiving this mail because: