[Bug 725967] New: AppArmor doesn't allow Samba VFS modules (recyclebin etc.)
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c0 Summary: AppArmor doesn't allow Samba VFS modules (recyclebin etc.) Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: Other OS/Version: Other Status: NEEDINFO Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de InfoProvider: lmuelle@suse.com Found By: Beta-Customer Blocker: --- Found by Tao te Puh in the opensuse-de ML: AppArmor doesn't allow Samba to load VFS modules, for example the recycle module. Those modules are described on http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html audit.log contains: type=AVC msg=audit(1319301247.814:209): apparmor="DENIED" operation="file_mmap" parent=13681 profile="/usr/sbin/smbd" name="/usr/lib/samba/vfs/recycle.so" pid=13744 comm="smbd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0 There are more *.so modules in this directory, and it's /usr/lib64/samba/vfs/ in the 64bit version, so we need at least this rule in the usr.sbin.smbd profile: /usr/lib*/samba/vfs/*.so mr, @Lars: what about the other files in /usr/lib*/samba/? There are several *.so in the other subdirectories, and some *.msg and *.dat in /usr/lib*/samba/, but /usr/lib*/samba is not mentioned in the samba profiles. Which of those files are loaded by a) smbd b) nmbd c) winbindd ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c1 --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> 2011-10-26 23:22:03 CEST --- I just tested this on my system (with "vfs objects = audit recycle) and can reproduce the DENIED message. Therefore I just submitted a patch to Factory that allows /usr/lib64/samba/vfs/*.so mr, in the usr.sbin.smbd profile. Lars, an answer to my question in the description would still be welcome ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c2 --- Comment #2 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-10-27 00:00:08 CEST --- This is an autogenerated message for OBS integration: This bug (725967) was mentioned in https://build.opensuse.org/request/show/89465 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c3 --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> 2011-11-01 18:39:16 CET --- *argh* I just noticed that my patch from SR 89465 only covered 64bit systems. I'll commit a fixed patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c4 --- Comment #4 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-11-01 20:00:07 CET --- This is an autogenerated message for OBS integration: This bug (725967) was mentioned in https://build.opensuse.org/request/show/89885 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c5 Lars Müller <lmuelle@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lmuelle@suse.com | --- Comment #5 from Lars Müller <lmuelle@suse.com> 2011-11-28 21:37:42 CET --- /usr/lib*/samba/*.msg is all for swat /usr/lib*/samba/vfs/*.so are vfs modules which plug into the VFS layer of smbd /usr/lib*/samba/charset/*.so are used by smbd as well /usr/lib*/samba/auth/script.so very likely smbd too (I never used it) /usr/lib*/samba/{lowercase,upcase}.dat used by smbd /usr/lib*/samba/valid.dat says what characters are valid in 8.3 names -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c6 --- Comment #6 from Lars Müller <lmuelle@suse.com> 2011-11-28 21:44:28 CET --- And the next set is used by samba-winbind (winbindd): /usr/lib*/samba/idmap/adex.so /usr/lib*/samba/idmap/ad.so /usr/lib*/samba/idmap/autorid.so /usr/lib*/samba/idmap/hash.so /usr/lib*/samba/idmap/ldap.so /usr/lib*/samba/idmap/rid.so /usr/lib*/samba/idmap/tdb2.so /usr/lib*/samba/idmap/*.so maybe? /usr/lib*/samba/nss_info/adex.so /usr/lib*/samba/nss_info/hash.so /usr/lib*/samba/nss_info/rfc2307.so /usr/lib*/samba/nss_info/sfu20.so /usr/lib*/samba/nss_info/sfu.so as /usr/lib*/samba/nss_info/*.so ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c7 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lmuelle@suse.com --- Comment #7 from Christian Boltz <suse-beta@cboltz.de> 2012-01-05 21:25:07 CET --- Patch for smbd sent upstream. I then wanted to update the winbindd profile, but noticed there isn't a profile for it ;-) - only abstractions/winbindd exists. Lars, can you create a profile for winbindd, please? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c8 Lars Müller <lmuelle@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lmuelle@suse.com | --- Comment #8 from Lars Müller <lmuelle@suse.com> 2012-01-31 22:31:46 CET --- How about using the information offered with comment #6? /usr/lib*/samba/idmap/*.so r, /usr/lib*/samba/nss_info/*.so r, Sorry for missing the information that we need read access to the files in question. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c9 --- Comment #9 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-02-02 00:00:09 CET --- This is an autogenerated message for OBS integration: This bug (725967) was mentioned in https://build.opensuse.org/request/show/102427 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c10 --- Comment #10 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-02-02 11:00:10 CET --- This is an autogenerated message for OBS integration: This bug (725967) was mentioned in https://build.opensuse.org/request/show/102458 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c11 --- Comment #11 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-02-07 17:00:07 CET --- This is an autogenerated message for OBS integration: This bug (725967) was mentioned in https://build.opensuse.org/request/show/103067 12.1 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c12 Benjamin Brunner <bbrunner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #12 from Benjamin Brunner <bbrunner@suse.com> 2012-02-22 11:52:10 CET --- Update released for 12.1. I'll close the bug as resolved fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c13 --- Comment #13 from Christian Boltz <suse-beta@cboltz.de> 2012-02-23 00:33:05 CET --- comment #7 is not done yet - I opened a separate bugreport (bug 748499) for it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=725967 https://bugzilla.novell.com/show_bug.cgi?id=725967#c14 --- Comment #14 from Swamp Workflow Management <swamp@suse.de> 2012-05-08 16:10:18 UTC --- openSUSE-RU-2012:0597-1: An update that has four recommended fixes can now be installed. Category: recommended (low) Bug References: 725967,738041,757545,758426 CVE References: Sources used: openSUSE 11.4 (src): apparmor-2.5.1.r1445-52.126.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com