Comment # 7 on bug 1166407 from
OK -- two more issues have been spotted.

1./ current AppArmor profiles prevent Samba log rotation
    ----------------------------------------------------

In /etc/apparmor.d/abstractions/samba (latest available stable version: 15.1,
fully patched), we see this:

  /var/log/samba/* w,

In order to allow rotation of log.smbd, log.nmbd, etc. to *.old, that should
be:

  /var/log/samba/* rwk,

(not sure the 'k' is strictly needed)

2./ the AD DC process itself has no AppArmor profile
    ------------------------------------------------

The main process on a Samba4 AD DC is '/usr/sbin/samba'. That process doesn't
have *any* AppArmor profile, even though I suspect it would be the most
critical / vulnerable one.


You are receiving this mail because: