https://bugzilla.novell.com/show_bug.cgi?id=748499 https://bugzilla.novell.com/show_bug.cgi?id=748499#c2 --- Comment #2 from Lars Müller <lmuelle@suse.com> 2012-03-26 16:44:11 CEST --- Created an attachment (id=483251) --> (http://bugzilla.novell.com/attachment.cgi?id=483251) Empty local usr.sbin.winbindd file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=748499 https://bugzilla.novell.com/show_bug.cgi?id=748499#c4 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lmuelle@suse.com --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> 2012-03-26 21:11:15 CEST --- (In reply to comment #3)

Wouldn't it be better to maintain all the Samba AppArmor (AA) files close to the network:samba Open Build Service repository?

Been there, done that (more or less) - just check the number of patches the apparmor package in openSUSE 11.4 ;-) (I spent lots of time to flood the upstream mailinglist with^W^W^W^W^Wget the patches upstream for 12.1.) I also moved the nscd proflile (which was in two packages, with slightly different rules) back to the apparmor-profiles package after submitting this small difference upstream. I don't say that you are totally wrong, all I'm saying is that it won't work in practise. It _might_ work for openSUSE, but I'm afraid most package maintainers don't care or don't have time to get the profile changes upstream and/or won't pull the latest upstream profile into their package - which means the profile maintenance has to be done by openSUSE people (and other distributions have to do similar maintenance work if nobody submits changed profiles upstream). Just to name an example: With the profiles from upstream, we got the /var/run -> /run changes "for free". With profiles spread over 20 packages, we would have to touch those 20 packages - and each package maintainer would have to find out that he has to use "/{,var/}run/". Doesn't look too difficult, but it's still easier and faster if you can do it with a global search and replace on all profiles ;-) We could of course do funny tricks like a package that is BuildRequire'd by samba etc. and copy the profile from there to the samba package - but IMHO that does more harm than good. Besides that, it seems that package maintainers can't create working profiles - see below ;-))

We also have to ensure to get AA enabled again by default.

I won't object - feel free to talk to Coolo and/or Sascha about it. If everything else fails, using a Meinungsverstärker could help ;-) (see http://www.stupidedia.org/stupi/Meinungsverstärker )

If that doesn't work we can suggest to enable AA as soon as a users makes use of the YaST windows domain mebership or samba-server module.

Indeed, good idea. You should even do that if apparmor is installed by default again - just in case someone uninstalled it.

Passing to Christian for to merge the suggested profile and to consider this comment.

Did you create the profile manually or with aa-genprof/aa-logprof? I'm asking because it contains this invalid rule: /etc/samba/secrets.tdb rwck, I'd guess it should be "rwk" instead of "rwck" - at least winbindd doesn't complain if I test it with your profile. Unfortunately, it complains for several other files. Just by using rcwinbindd start/stop/restart/reload, I got the following additions: + #include <abstractions/nameservice> + /etc/samba/passdb.tdb rwk, + /tmp/.winbindd/ w, # creation of the directory - probably pre-existed on your system + /var/lib/samba/account_policy.tdb rwk, + /var/lib/samba/gencache_notrans.tdb rwk, # r added + /var/lib/samba/gencache.tdb rwk, # r added + /var/lib/samba/group_mapping.tdb rwk, + /var/lib/samba/netsamlogon_cache.tdb rwk, + /var/lib/samba/serverid.tdb rwk, + /var/lib/samba/winbindd_cache.tdb rwk, + /var/lib/samba/winbindd_privileged/pipe w, + /var/log/samba/log.wb-* w, # log.wb-HOSTNAME + /{var/,}run/samba/winbindd.pid rwk, (Anything suspicious in this additions?) Two files were removed because they are already in abstractions/winbind: - /etc/samba/smb.conf r, - /tmp/.winbindd/pipe w, I'll attach the updated profile - can you please test it again? (Needless to say that it's easy to DOS winbindd simply by creating /tmp/.winbindd as file, but that's another story...) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=748499 https://bugzilla.novell.com/show_bug.cgi?id=748499#c6 Lars Müller <lmuelle@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lmuelle@suse.com | --- Comment #6 from Lars Müller <lmuelle@suse.com> 2012-04-12 14:47:02 CEST --- Please merge the suggested change. Unfortunately I have no time for testing at the moment. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=748499 https://bugzilla.novell.com/show_bug.cgi?id=748499#c8 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> 2012-04-17 14:09:12 CEST --- The winbindd profile is in the factory package. If it blocks anything it shouldn't, please reopen or open a new bugreport. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.