http://bugzilla.opensuse.org/show_bug.cgi?id=1166407 Bjoern Jacke changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jmcdonough@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166407 http://bugzilla.opensuse.org/show_bug.cgi?id=1166407#c2 --- Comment #2 from Philippe Andersson --- (In reply to Christian Boltz from comment #1)

While I somewhat understand why you'd like to see sub-packages, let me ask a completely different question:

What exactly do you need to add to the samba profiles?

For 'usr.sbin.smbd': /dev/urandom rw, For 'usr.sbin.winbindd': /dev/urandom rw, /var/cache/samba/ rw, /var/cache/samba/smb_krb5/ rw, /var/cache/samba/smb_krb5/* rwk, /var/cache/samba/smb_tmp_krb5.* rwk, /var/cache/samba/msg.lock/ rw, /var/cache/samba/msg.lock/* rwk, (For 'usr.sbin.nmbd', all the changes I needed have since been introduced by on-line updates or upgrades since 15.0). Some of these extra requirements may be due to the fact that SerNet uses different default locations during the build environment configuration phase, or enables some options at that time that are not active in the SUSE builds (personal hypothesis). Also, please note that the above extra AppArmor profile contents has been determined based on the DENIED "audit.log" entries found on a domain client (i.e. on a client PC joined to the domain). I still need to check whether further changes may be required to cover: - a domain member server - a domain controller I expect to find out over the coming weeks. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166407 http://bugzilla.opensuse.org/show_bug.cgi?id=1166407#c3 --- Comment #3 from Christian Boltz --- (In reply to Philippe Andersson from comment #2)

For 'usr.sbin.smbd': /dev/urandom rw,

For 'usr.sbin.winbindd': /dev/urandom rw,

I'm a bit surprised why you need write permissions to /dev/urandom. Do smbd and winbindd really write to it? (According to man urandom this is technically possible, but IMHO still surprising.)

/var/cache/samba/ rw,

The write (mkdir) is already allowed in abstractions/samba. That means we'll only need to add read permissions (directory listing). Shouldn't be a serious problem, but I'm still slightly surprised that you need them - AFAIK you are the first one with that requirement. (Wild guess: maybe related to the smb_tmp_krb5.* files in that directory?)

/var/cache/samba/smb_krb5/ rw, /var/cache/samba/smb_krb5/* rwk, /var/cache/samba/smb_tmp_krb5.* rwk,

Looks like everybody uses a different location for the krb5 files, so let's add one more location ;-)

/var/cache/samba/msg.lock/ rw, /var/cache/samba/msg.lock/* rwk,

These two are (mostly) covered in abstractions/samba already: /var/cache/samba/msg.lock/ rwk, /var/cache/samba/msg.lock/[0-9]* rwk, Note that the second rule has [0-9]* instead of * - does this work for you, or do you see filenames not starting with a digit?

(For 'usr.sbin.nmbd', all the changes I needed have since been introduced by on-line updates or upgrades since 15.0).

:-)

Some of these extra requirements may be due to the fact that SerNet uses different default locations during the build environment configuration phase, or enables some options at that time that are not active in the SUSE builds (personal hypothesis).

Yes, possibly - but even if I asked some questions about your profile additions, I'm quite sure that I can get them merged upstream.

Also, please note that the above extra AppArmor profile contents has been determined based on the DENIED "audit.log" entries found on a domain client (i.e. on a client PC joined to the domain). I still need to check whether further changes may be required to cover: - a domain member server - a domain controller

I expect to find out over the coming weeks.

I'm looking forward for your feedback! -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166407 http://bugzilla.opensuse.org/show_bug.cgi?id=1166407#c5 --- Comment #5 from Bjoern Jacke --- the rw requirement of urandom is probably coming from gnutls and not samba directly (the older Samba version of SLES doesn't use gnutls for crypto yet). For differences of other paths in the apparmor profile it looks a bit pointless to me to try to include all possible different possibe paths being used by different packagers upstream. The requirements here can change from version to version also. For SUSE specifically I would really appreciate if the apparmor profiles would consistently all be packaged along with the package packages that they are made for and not as part of the apparmore package itself. Currently some are still shipped from the apparmor package and some are shipped with the package they're made for. For the Samba package of SUSE I suggested moving the samba apparmore profile accordingly to Jim some days ago. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166407 http://bugzilla.opensuse.org/show_bug.cgi?id=1166407#c7 --- Comment #7 from Philippe Andersson --- OK -- two more issues have been spotted. 1./ current AppArmor profiles prevent Samba log rotation ---------------------------------------------------- In /etc/apparmor.d/abstractions/samba (latest available stable version: 15.1, fully patched), we see this: /var/log/samba/* w, In order to allow rotation of log.smbd, log.nmbd, etc. to *.old, that should be: /var/log/samba/* rwk, (not sure the 'k' is strictly needed) 2./ the AD DC process itself has no AppArmor profile ------------------------------------------------ The main process on a Samba4 AD DC is '/usr/sbin/samba'. That process doesn't have *any* AppArmor profile, even though I suspect it would be the most critical / vulnerable one. -- You are receiving this mail because: You are on the CC list for the bug.