http://bugzilla.opensuse.org/show_bug.cgi?id=1195463 http://bugzilla.opensuse.org/show_bug.cgi?id=1195463#c11 --- Comment #11 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Ralf K�lmel from comment #10)
I'm still having "denied" messages during smb/nmb startup(s. attached file) , but they don't break the smb service start.
That log basically shows 3 [groups of] denials: - capability net_admin -> bug 1196922 aka bug 1196850 comment #3 - /proc/*/fd/ -> https://gitlab.com/apparmor/apparmor/-/merge_requests/860 - smbd and samba-bgqd reading /etc/ssl/openssl.cnf -> this bugzilla comment Allowing to read the openssl config is quite harmless. Also, samba.spec contains BuildRequires: libopenssl-devel so reading openssl.cnf isn't too surprising. Long story short: I just submitted https://gitlab.com/apparmor/apparmor/-/merge_requests/862
The question is if automatic cleaning of the apparmor cache (through configuration in the rpm spec) after an update of the apparmor packages would be a pragmatic way to workaround the problem.
That workaround would be rm /var/cache/apparmor/*/usr.sbin.smbd but I'm not sure if I like it in a %post script ;-) (would need to be done before restarting samba)
For now i'm afraid to do automatic updates (of apparmor packages) on affected systems because it could break the samba daemon restart.
Understandable. If it helps: - you can run the above workaround before updating - this is the first time I've seen such an issue, therefore I'd say the risk for similar problems in future updates is quite low. (Yes, famous last words ;-)
But besides a workaround the best would be to find the problem.
Agreed. (In reply to Noel Power from comment #9)
I have experienced cache related problems a couple of times recently, however every time I try to pin it down and reproduce it I have failed :/
Timestamps of the profiles and indirectly also your samba config (via the autogenerated profile sniplet) are relevant, which makes reproducing harder. If that happens again, please save the following files and directories in a tarball (timestamps are most important, but in worst case it's also possible to investigate the content of the cache files): - /etc/samba/smb.conf (or at least its timestamp) - /etc/apparmor.d/ - /var/cache/apparmor/ - /usr/share/apparmor/cache/ - /var/log/audit/audit.log -- You are receiving this mail because: You are on the CC list for the bug.