(In reply to Christian Boltz from comment #8) > From the log in the original report: > > type=AVC msg=audit(1643828237.305:807): apparmor="DENIED" operation="open" profile="smbd" name="/etc/ssl/openssl.cnf" pid=6144 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > IIRC I've never seen Samba trying to read the openssl.cnf (but I have to > admit that I use it only rarely). Do you have a special/unusual samba config > that could explain it? > > @Noel: if you have an idea, feel free to answer as well ;-) no idea, sorry, I'm guessing this must be pulled in by some external library used by samba. I've cc'ed samba-maintainers so maybe someone else here might have an idea > > > type=AVC msg=audit(1643828237.385:809): apparmor="DENIED" operation="exec" profile="smbd" name="/usr/lib64/samba/samba-bgqd" pid=6148 comm="smbd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > > I assume that was fixed by deleting the cache? > > Also, if you see other DENIED events, please tell me. > > > Unfortunately I'm still not sure why you needed to delete the cache. > > The "same as current profile, skipping" log entries from comment 5 happened > at the same time as the updated apparmor-profiles package was installed. > This means AppArmor thought the cache was new enough. While this happens on > the kernel side, it could also be caused by apparmor_parser - if it thinks > the cache is up to date, it just passes the cache to the kernel. (The cache > is checked based on the timestamp of the profile and all included files, > unfortunately not based on the content of those files) > > My guess was that you might have a > /etc/apparmor.d/local/usr.sbin.smbd-shares (generated from your smb.conf) > that is newer than the new packaged smbd profile - but your > usr.sbin.smbd-shares is a year old, so my guess doesn't fit your case. > Would have been too easy ;-) and I'm somewhat afraid that in your case it > might stay a mystery what exactly happened. I have experienced cache related problems a couple of times recently, however every time I try to pin it down and reproduce it I have failed :/