(In reply to Philippe Andersson from comment #2) > For 'usr.sbin.smbd': > /dev/urandom rw, > > For 'usr.sbin.winbindd': > /dev/urandom rw, I'm a bit surprised why you need write permissions to /dev/urandom. Do smbd and winbindd really write to it? (According to man urandom this is technically possible, but IMHO still surprising.) > /var/cache/samba/ rw, The write (mkdir) is already allowed in abstractions/samba. That means we'll only need to add read permissions (directory listing). Shouldn't be a serious problem, but I'm still slightly surprised that you need them - AFAIK you are the first one with that requirement. (Wild guess: maybe related to the smb_tmp_krb5.* files in that directory?) > /var/cache/samba/smb_krb5/ rw, > /var/cache/samba/smb_krb5/* rwk, > /var/cache/samba/smb_tmp_krb5.* rwk, Looks like everybody uses a different location for the krb5 files, so let's add one more location ;-) > /var/cache/samba/msg.lock/ rw, > /var/cache/samba/msg.lock/* rwk, These two are (mostly) covered in abstractions/samba already: /var/cache/samba/msg.lock/ rwk, /var/cache/samba/msg.lock/[0-9]* rwk, Note that the second rule has [0-9]* instead of * - does this work for you, or do you see filenames not starting with a digit? > (For 'usr.sbin.nmbd', all the changes I needed have since been introduced by > on-line updates or upgrades since 15.0). :-) > Some of these extra requirements may be due to the fact that SerNet uses > different default locations during the build environment configuration > phase, or enables some options at that time that are not active in the SUSE > builds (personal hypothesis). Yes, possibly - but even if I asked some questions about your profile additions, I'm quite sure that I can get them merged upstream. > Also, please note that the above extra AppArmor profile contents has been > determined based on the DENIED "audit.log" entries found on a domain client > (i.e. on a client PC joined to the domain). I still need to check whether > further changes may be required to cover: > - a domain member server > - a domain controller > > I expect to find out over the coming weeks. I'm looking forward for your feedback!