https://bugzilla.novell.com/show_bug.cgi?id=688040
https://bugzilla.novell.com/show_bug.cgi?id=688040#c8
Christian Boltz
(In reply to comment #2)
Agreed. It would still be worth some bonus points if the samba initscript would auto-generate a profile sniplet with the path of all shares ;-)
Although attractive, this method is far from a silver bullet. As Lars described on the opensuse-factory ML, Samba share definitions can be updated with various actions: process restart, SIGHUP, smbcontrol message and registry change.
Yes, I've seen his mail - however I'd say this is where things get scary ;-) Basically I see two options: a) parse smb.conf to create an apparmor profile sniplet (without the "dynamicly" created shares) b) let Samba itsself update the profile sniplet c) (did I miss another option?) b) might sound like the better solution, but comes with the risk that someone exploits Samba and then raise his privileges. With a) he would at least have to modify smb.conf and re-run the initscript to update the apparmor profile sniplet, which is much more difficult to exploit IMHO. Lars, what is your opinion about this? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.