Bug ID 991901
Summary DENIED errors for nmbd & winbindd
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component AppArmor
Assignee suse-beta@cboltz.de
Reporter nopower@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

At least latest versions of samba on sle12 (and presumably leap) exhibit

2016-08-02T20:47:28.744928+01:00 e6 kernel: [20450.573208] audit: type=1400
audit(1470167248.740:40): apparmor="DENIED" operation="capable"
profile="/usr/sbin/winbindd" pid=30995 comm="winbindd" capability=21 
capname="sys_admin"
2016-08-02T20:47:28.772923+01:00 e6 kernel: [20450.602088] audit: type=1400
audit(1470167248.768:41): apparmor="DENIED" operation="capable"
profile="/usr/sbin/winbindd" pid=30995 comm="winbindd" capability=12 
capname="net_admin"


for winbindd & nmb

looking for EPERM in associated straces we see for

  net_admin (trace for nmb & winbind are the same)


20:47:28.770944 socket(PF_LOCAL, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 11
20:47:28.770960 getsockopt(11, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0
20:47:28.770972 setsockopt(11, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1
EPERM (Operation not permitted)


  sys_admin (again traces for nmb & winbind are same)

20:47:28.742041 statfs("/sys/fs/selinux", 0x7ffec45e3420) = -1 ENOENT (No such
file or directory)
20:47:28.742063 statfs("/selinux", {f_type="BTRFS_SUPER_MAGIC", f_bsize=4096,
f_blocks=4716800, f_bfree=3791830, f_bavail=3634294, f_files=0, f_ffree=0,
f_fsid={599142472, -600034648}, f_namelen=255, f_frsize=4096}) = 0
20:47:28.742084 mount("proc", "/proc", "proc", 0, NULL) = -1 EPERM (Operation
not permitted)
20:47:28.742124 open("/proc/filesystems", O_RDONLY) = 3


Actually for this one above I see the same for nscd also

I don't believe that these are actually causing any problems (at least no
errors are reported in the samba logs) and my testing didn't yet reveal any
problems

You are receiving this mail because: