http://bugzilla.opensuse.org/show_bug.cgi?id=1195463 http://bugzilla.opensuse.org/show_bug.cgi?id=1195463#c9 --- Comment #9 from Noel Power <nopower@suse.com> --- (In reply to Christian Boltz from comment #8)
From the log in the original report:
type=AVC msg=audit(1643828237.305:807): apparmor="DENIED" operation="open" profile="smbd" name="/etc/ssl/openssl.cnf" pid=6144 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
IIRC I've never seen Samba trying to read the openssl.cnf (but I have to admit that I use it only rarely). Do you have a special/unusual samba config that could explain it?
@Noel: if you have an idea, feel free to answer as well ;-) no idea, sorry, I'm guessing this must be pulled in by some external library used by samba. I've cc'ed samba-maintainers so maybe someone else here might have an idea
type=AVC msg=audit(1643828237.385:809): apparmor="DENIED" operation="exec" profile="smbd" name="/usr/lib64/samba/samba-bgqd" pid=6148 comm="smbd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
I assume that was fixed by deleting the cache?
Also, if you see other DENIED events, please tell me.
Unfortunately I'm still not sure why you needed to delete the cache.
The "same as current profile, skipping" log entries from comment 5 happened at the same time as the updated apparmor-profiles package was installed. This means AppArmor thought the cache was new enough. While this happens on the kernel side, it could also be caused by apparmor_parser - if it thinks the cache is up to date, it just passes the cache to the kernel. (The cache is checked based on the timestamp of the profile and all included files, unfortunately not based on the content of those files)
My guess was that you might have a /etc/apparmor.d/local/usr.sbin.smbd-shares (generated from your smb.conf) that is newer than the new packaged smbd profile - but your usr.sbin.smbd-shares is a year old, so my guess doesn't fit your case. Would have been too easy ;-) and I'm somewhat afraid that in your case it might stay a mystery what exactly happened.
I have experienced cache related problems a couple of times recently, however every time I try to pin it down and reproduce it I have failed :/ -- You are receiving this mail because: You are on the CC list for the bug.