(In reply to Christian Boltz from comment #3) > I'm a bit surprised why you need write permissions to /dev/urandom. Do smbd > and winbindd really write to it? (According to man urandom this is > technically possible, but IMHO still surprising.) I was just as surprised as you. I also checked whether it made any sense at all, and since it /could/ be used, I allowed it (I tried just 'r', but AppArmor still issued a DENIED). As to the reason for the RW access, that's a question for SerNet -- I've not delved into the Samba code. > > /var/cache/samba/ rw, > > The write (mkdir) is already allowed in abstractions/samba. Good to know -- I missed that. > That means we'll only need to add read permissions (directory listing). > Shouldn't be a serious problem, but I'm still slightly surprised that you > need them - AFAIK you are the first one with that requirement. (Wild guess: > maybe related to the smb_tmp_krb5.* files in that directory?) Most likely, yes. But to be fair, I've not tested the behaviour only allowing 'w'. > > /var/cache/samba/smb_krb5/ rw, > > /var/cache/samba/smb_krb5/* rwk, > > /var/cache/samba/smb_tmp_krb5.* rwk, > > Looks like everybody uses a different location for the krb5 files, so let's > add one more location ;-) In this case, perhaps a bit of coordination with SerNet could reduce the level of entropy. If you can tell me the preferred location for those files under OpenSUSE and SLES, I'll contact them and pass the message. > > /var/cache/samba/msg.lock/ rw, > > /var/cache/samba/msg.lock/* rwk, > > These two are (mostly) covered in abstractions/samba already: > /var/cache/samba/msg.lock/ rwk, > /var/cache/samba/msg.lock/[0-9]* rwk, > > Note that the second rule has [0-9]* instead of * - does this work for you, > or do you see filenames not starting with a digit? No, that should work. At present, all filenames present in that folder on our test workstation follow the very simple pattern [0-9]{5}. > > Some of these extra requirements may be due to the fact that SerNet uses > > different default locations during the build environment configuration > > phase, or enables some options at that time that are not active in the SUSE > > builds (personal hypothesis). > > Yes, possibly - but even if I asked some questions about your profile > additions, I'm quite sure that I can get them merged upstream. That's great news!