[Bug 688040] New: apparmor profile denies smbd access to the shared folder
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c0 Summary: apparmor profile denies smbd access to the shared folder Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: Samba AssignedTo: samba-maintainers@SuSE.de ReportedBy: kolobov@iszf.irk.ru QAContact: samba-maintainers@SuSE.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.29 SUSE/12.0.731.0 (KHTML, like Gecko) Chrome/12.0.731.0 Safari/534.29 The related bug is #666450. I updated apparmor from http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open... smbd and nmbd are started, but smbd cannot access the shared directory. audit.log: type=AVC msg=audit(1302928001.423:3198): apparmor="DENIED" operation="open" parent=2686 profile="/usr/sbin/smbd" name="/mnt/d04/pub/" pid=10299 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0 With disabled apparmor everything is ok. smb.conf contains lines: [pub] comment = public inherit acls = Yes path = /mnt/d04/pub read only = No guest ok = Yes create mask = 0664 directory mask = 0775 Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|samba-maintainers@SuSE.de |jeffm@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c1 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Jeff Mahoney <jeffm@novell.com> 2011-04-18 02:42:42 UTC --- As mentioned in bnc#666450, the answer isn't to add specific directories to the profile, it's to add the ability to have local extensions without modifying the profile as-shipped. This isn't a samba issue but a general apparmor one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c2 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> 2011-04-18 22:11:35 CEST --- Agreed. It would still be worth some bonus points if the samba initscript would auto-generate a profile sniplet with the path of all shares ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c3 --- Comment #3 from Lars Müller <lmuelle@novell.com> 2011-04-20 18:30:08 CEST --- Free coffee and cake if we see a submit request implementing the suggestion from comment #2 in a way that it works generic with the current sysvinit approach and with systemd too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c4 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jeffm@novell.com --- Comment #4 from Jeff Mahoney <jeffm@novell.com> 2011-04-20 17:08:52 UTC --- Quick hint: this would be super easy for someone looking to learn python. Specifically, check out the ConfigParser module. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c5 mat JaDoel <matjadoel@yahoo.co.id> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matjadoel@yahoo.co.id Platform|x86-64 |32bit --- Comment #5 from mat JaDoel <matjadoel@yahoo.co.id> 2011-05-21 05:30:20 UTC --- (In reply to comment #0)
I updated apparmor from http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open...
openSUSE 11.4 (32b) with latest update + Tumbleweed repo as of 05/21/2011. Seems the samba need to read /etc/netgroup file, it denied.. here the /var/log/audit/audit.log : type=AVC msg=audit(1305954890.279:29): apparmor="DENIED" operation="open" parent=4692 profile="/usr/sbin/smbd" name="/etc/netgroup" pid=4732 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 The relevant info : rpm -qa | grep samba samba-3.5.8-2.5.i586 rpm -qa | grep apparmor apparmor-docs-2.5.1.r1445-62.11.noarch apparmor-parser-2.5.1.r1445-62.11.i586 apparmor-profiles-2.5.1.r1445-62.11.noarch apparmor-utils-2.5.1.r1445-62.11.noarch libapparmor-devel-2.5.1.r1445-62.11.i586 libapparmor1-2.5.1.r1445-62.11.i586 pam_apparmor-2.5.1.r1445-62.11.i586 patterns-openSUSE-apparmor-11.4-6.9.1.i586 patterns-openSUSE-apparmor_opt-11.4-6.9.1.i586 perl-apparmor-2.5.1.r1445-62.11.i586 yast2-apparmor-2.20.1-1.2.1.noarch rpm -qa | grep kernel kernel-desktop-2.6.38.6-29.1.i586 kernel-xen-2.6.38.6-29.1.i586 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c6 --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> 2011-08-17 01:17:13 CEST --- Another quick hint: if someone wants to implement comment #2 in perl, Config::IniFiles is probably a good choice. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c7 David Disseldorp <ddiss@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ddiss@novell.com --- Comment #7 from David Disseldorp <ddiss@novell.com> 2011-08-17 23:10:50 UTC --- (In reply to comment #2)
Agreed. It would still be worth some bonus points if the samba initscript would auto-generate a profile sniplet with the path of all shares ;-)
Although attractive, this method is far from a silver bullet. As Lars described on the opensuse-factory ML, Samba share definitions can be updated with various actions: process restart, SIGHUP, smbcontrol message and registry change. Acting on internal MSG_SMB_CONF_UPDATED messages may be a less cumbersome option but even then there's still the option of [homes] and other variable dependent share paths. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c8 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |lmuelle@novell.com --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> 2011-08-21 17:45:16 CEST --- (In reply to comment #7)
(In reply to comment #2)
Agreed. It would still be worth some bonus points if the samba initscript would auto-generate a profile sniplet with the path of all shares ;-)
Although attractive, this method is far from a silver bullet. As Lars described on the opensuse-factory ML, Samba share definitions can be updated with various actions: process restart, SIGHUP, smbcontrol message and registry change.
Yes, I've seen his mail - however I'd say this is where things get scary ;-) Basically I see two options: a) parse smb.conf to create an apparmor profile sniplet (without the "dynamicly" created shares) b) let Samba itsself update the profile sniplet c) (did I miss another option?) b) might sound like the better solution, but comes with the risk that someone exploits Samba and then raise his privileges. With a) he would at least have to modify smb.conf and re-run the initscript to update the apparmor profile sniplet, which is much more difficult to exploit IMHO. Lars, what is your opinion about this? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c9 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |leezer3@gmail.com --- Comment #9 from Christian Boltz <suse-beta@cboltz.de> 2011-08-26 14:40:15 CEST --- *** Bug 714089 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=714089 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jeffm@suse.com |suse-beta@cboltz.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c10 --- Comment #10 from Christian Boltz <suse-beta@cboltz.de> 2011-10-11 13:21:26 CEST --- Based on the discussion on the ML, here's a script to generate an apparmor profile sniplet that includes all shares listed in smb.conf, with the exception of - variables (anything containing a % sign) - "/" - if someone is insane enough to share his complete filesystem, he'll have to modify the apparmor profile himself. testparm turned out to be quite useful :-) echo '# autogenerated at samba start - do not edit!' testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[ \t]*path[ \t]*=[ \t]*\(.*\)$§\1/ rk,\n\1/** rwkl,§p' ("[ \t]" means space and tab - ignore the linebreak above) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c11 --- Comment #11 from Christian Boltz <suse-beta@cboltz.de> 2011-10-17 22:18:49 CEST --- Created an attachment (id=457112) --> (http://bugzilla.novell.com/attachment.cgi?id=457112) update-apparmor-samba-profile update-apparmor-samba-profile - script to create or update an apparmor sniplet with permissions for all samba shares. Proposed path: /usr/share/samba/update-apparmor-samba-profile (called by initscript or systemd - no need to have it in /usr/sbin/) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c12 --- Comment #12 from Christian Boltz <suse-beta@cboltz.de> 2011-10-17 22:21:11 CEST --- Created an attachment (id=457113) --> (http://bugzilla.novell.com/attachment.cgi?id=457113) Patch for the smb initscript This patch for the smb initscript adds calls to the update-apparmor-samba-profile script on (re)start and reload. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c13 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lmuelle@suse.com | AssignedTo|suse-beta@cboltz.de |samba-maintainers@SuSE.de --- Comment #13 from Christian Boltz <suse-beta@cboltz.de> 2011-10-17 22:29:14 CEST --- The attachments contain everything you need to let samba update its AppArmor profile. (Well, I have to admit that I'm not sure about systemd - if there is a service file for samba, you'll have to include a call to my script.) I didn't send a SR because changing the initscript inside a tarball looks a bit ;-) horrible to me. Please include this script and patch in openSUSE 12.1. For the records: The risk of the patch and the script is very low IMHO. I'll commit an updated AppArmor package that includes the generated sniplet in the Samba AppArmor profile when you have included the script in the samba package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c Lars Müller <lmuelle@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Platform|32bit |All AssignedTo|samba-maintainers@SuSE.de |lmuelle@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c14 Lars Müller <lmuelle@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #14 from Lars Müller <lmuelle@suse.com> 2011-10-18 20:51:09 CEST --- Suggested fix merged and pushed into network:samba:TESTING. Please test if that works for you. Without complains we'll merge the required changes tomorrow. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c15 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #15 from Christian Boltz <suse-beta@cboltz.de> 2011-10-18 22:01:18 CEST --- (In reply to comment #14)
Suggested fix merged and pushed into network:samba:TESTING.
Please test if that works for you. Without complains we'll merge the required changes tomorrow.
error: Installed (but unpackaged) file(s) found: /usr/share/samba/update-apparmor-samba-profile Please add it to %files ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c16 Lars Müller <lmuelle@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #16 from Lars Müller <lmuelle@suse.com> 2011-10-18 23:08:05 CEST --- Fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c17 --- Comment #17 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-10-19 01:00:21 CEST --- This is an autogenerated message for OBS integration: This bug (688040) was mentioned in https://build.opensuse.org/request/show/88635 Factory / samba -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c18 --- Comment #18 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-10-19 13:00:07 CEST --- This is an autogenerated message for OBS integration: This bug (688040) was mentioned in https://build.opensuse.org/request/show/88695 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c19 --- Comment #19 from Christian Boltz <suse-beta@cboltz.de> 2011-10-19 13:02:04 CEST --- SR 88695 (for the apparmor package) will include the autogenerated profile sniplet in the smbd profile. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c20 Norbert Hornyak <hnsz2002@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|RESOLVED |REOPENED CC| |hnsz2002@gmail.com Resolution|FIXED | --- Comment #20 from Norbert Hornyak <hnsz2002@gmail.com> 2012-01-30 16:11:25 UTC --- The bug is still available in the main repo, and also in network:samba:TESTING. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c21 Lars Müller <lmuelle@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |kolobov@iszf.irk.ru --- Comment #21 from Lars Müller <lmuelle@suse.com> 2012-01-30 23:32:45 CET --- Please switch AppArmor in complain mode and provide which access rights are missing. Samba from network:samba:TESTING and network:samba:STABLE are currently at the identical code level. This is easy to check via the content of the build-source-timestamp file. If this is a different issue please close this bug and file a separate one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c22 --- Comment #22 from Dmitri Kolobov <kolobov@iszf.irk.ru> 2012-01-31 04:27:22 UTC --- I updated Apparmor from 'Updates' repo and samba from 'samba:STABLE'. It works for me. Access to custom directories is allowed. OpenSUSE 11.4. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c23 --- Comment #23 from Norbert Hornyak <hnsz2002@gmail.com> 2012-01-31 09:49:49 UTC --- (In reply to comment #21)
Please switch AppArmor in complain mode and provide which access rights are missing.
Samba from network:samba:TESTING and network:samba:STABLE are currently at the identical code level. This is easy to check via the content of the build-source-timestamp file.
If this is a different issue please close this bug and file a separate one.
I switched smbd to complain mode, but I nothing else seen: [ 4169.986750] type=1400 audit(1328003056.364:237): apparmor="ALLOWED" operation="open" parent=11157 profile="/usr/sbin/smbd" name="/srv/samba-share/" pid=11423 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=1000 samba version in the testing repo: samba-3.6.3-97.1 in the stable: samba-3.6.3-85.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c24 --- Comment #24 from Norbert Hornyak <hnsz2002@gmail.com> 2012-01-31 09:51:08 UTC --- (In reply to comment #22)
I updated Apparmor from 'Updates' repo and samba from 'samba:STABLE'.
It works for me. Access to custom directories is allowed.
OpenSUSE 11.4.
From which updates? http://download.opensuse.org/update/11.4/ ? I'am updated too...
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c25 --- Comment #25 from Christian Boltz <suse-beta@cboltz.de> 2012-01-31 11:07:50 CET --- Ah, you are using 11.4 - that explains it. The autogenerated apparmor sniplet for all shares is included starting with 12.1. Basically, you have two options: a) manual way: - echo "# replaceme" > /etc/apparmor.d/local/usr.sbin.smbd-shares - add " #include <local/usr.sbin.smbd-shares>" to /etc/apparmor.d/usr.sbin.smbd - rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet) b) update your apparmor-profiles package to 2.7.1 from security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor 2.5, but if it works, it's the easiest solution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c26 --- Comment #26 from Norbert Hornyak <hnsz2002@gmail.com> 2012-01-31 10:19:47 UTC --- (In reply to comment #25)
Ah, you are using 11.4 - that explains it. The autogenerated apparmor sniplet for all shares is included starting with 12.1.
Basically, you have two options: a) manual way: - echo "# replaceme" > /etc/apparmor.d/local/usr.sbin.smbd-shares - add " #include <local/usr.sbin.smbd-shares>" to /etc/apparmor.d/usr.sbin.smbd - rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet)
b) update your apparmor-profiles package to 2.7.1 from security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor 2.5, but if it works, it's the easiest solution.
a) AppArmor parser error for /etc/apparmor.d/usr.sbin.smbd in /etc/apparmor.d/local/usr.sbin.smbd-shares at line 3: syntax error, unexpected TOK_MODE, expecting TOK_OPEN /etc/apparmor.d/usr.sbin.smbd failed to load b) Same error: [ 6270.775634] type=1400 audit(1328005157.152:357): apparmor="DENIED" operation="open" parent=15544 profile="/usr/sbin/smbd" name="/srv/samba-share/" pid=15640 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=1000 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c27 --- Comment #27 from Christian Boltz <suse-beta@cboltz.de> 2012-01-31 23:56:59 CET --- (In reply to comment #26)
- add " #include <local/usr.sbin.smbd-shares>" to /etc/apparmor.d/usr.sbin.smbd - rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet)
AppArmor parser error for /etc/apparmor.d/usr.sbin.smbd in /etc/apparmor.d/local/usr.sbin.smbd-shares at line 3: syntax error, unexpected TOK_MODE, expecting TOK_OPEN
Sounds like you added the include before the opening "/usr/sbin/smbd {" line. You should add it below (inside the {...} block).
b) update your apparmor-profiles package to 2.7.1 from security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor 2.5, but if it works, it's the easiest solution.
Same error: [DENIED message from audit.log]
So the good news is that the 2.7 profiles work with AppArmor 2.5 :-) Did you restart AppArmor and Samba after updating the profiles package? If not, run: rcapparmor restart rcsmb restart -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c28 --- Comment #28 from Norbert Hornyak <hnsz2002@gmail.com> 2012-02-01 11:30:28 UTC --- (In reply to comment #27)
Sounds like you added the include before the opening "/usr/sbin/smbd {" line. You should add it below (inside the {...} block).
Yeah, this is my fault. I'll downgraded back to apparmor 2.5, which are in 11.4 oss repo, and with this correction, it seems to be OK...
So the good news is that the 2.7 profiles work with AppArmor 2.5 :-)
No, I'll updated everything (libapparmor, parser, utils...) from factory repo, so all of my apparmor packages was 2.7.
Did you restart AppArmor and Samba after updating the profiles package? If not, run: rcapparmor restart rcsmb restart
Yes, I'll restarted everything, but with apparmor 2.7 doesn't worked. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c29 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|kolobov@iszf.irk.ru | Resolution| |FIXED --- Comment #29 from Christian Boltz <suse-beta@cboltz.de> 2012-02-01 17:37:07 CET --- Thanks for your feedback. OK, then this bug stays "fixed" for >= 12.1 - and "wontfix" for 11.4 (with comment #25 method a) as workaround). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c30 --- Comment #30 from Norbert Hornyak <hnsz2002@gmail.com> 2012-02-01 17:16:29 UTC --- And why not fix in 11.4? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c31 --- Comment #31 from Christian Boltz <suse-beta@cboltz.de> 2012-02-01 20:38:08 CET --- (In reply to comment #30)
And why not fix in 11.4?
Because (AFAIK) the samba package in 11.4 does not contain the script to generate the AppArmor sniplet - you got it only because you use samba:stable repo. In other words: this would be a bigger change (basically introducing a new feature) in multiple packages. IMHO it's a bit too late for new features in 11.4 ;-) (but if you really want it, you can always do a SR to openSUSE:11.4:Update:Test and point to this bugreport) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c32 --- Comment #32 from Norbert Hornyak <hnsz2002@gmail.com> 2012-02-01 20:56:42 UTC --- (In reply to comment #31)
Because (AFAIK) the samba package in 11.4 does not contain the script to generate the AppArmor sniplet
I think, this is the problem... Apparmor is delivered (and installed by default?) with 11.4, have a profile for samba too, but if you install and want to use samba, it isn't working. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c33 --- Comment #33 from Jeff Mahoney <jeffm@suse.com> 2012-02-01 21:00:00 UTC --- For 11.4 (and every release prior), this is the case. It will also be true of *any* file serving daemon, simply because you can export anything on the file system through them. That is fundamentally opposite the premise of a tool like AppArmor which wants to restrict access to the file system. The Samba profile has *always* needed to be modified. It's just that in 12.1 we've included a tool to do it automatically. For prior releases, it would be a post-release enhancement, which is against the openSUSE update policies. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c34 --- Comment #34 from Norbert Hornyak <hnsz2002@gmail.com> 2012-02-01 21:07:09 UTC --- Yeah, you are right. But I'll try to add manually the access to the shared directory (/srv/samba-share/** rwkl) for smbd, but did not help. Not need for create automatically these rules, but if I add manually, it should work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c35 Norbert Hornyak <hnsz2002@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |INVALID --- Comment #35 from Norbert Hornyak <hnsz2002@gmail.com> 2012-02-01 21:38:45 UTC --- Ehm :) So, I checked what is in /etc/apparmor.d/local/usr.sbin.smbd-shares file... Nobody asked me what rules I added. The error caused by a missing rule: /srv/samba-share/ rl I thought that, the /srv/samba-share/** contains the permission for these directory too. I'm now downgraded samba and apparmor to 11.4 oss repo version, then I fix the rules, and everything works fine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c36 --- Comment #36 from Christian Boltz <suse-beta@cboltz.de> 2012-02-02 19:33:15 CET --- (In reply to comment #35)
So, I checked what is in /etc/apparmor.d/local/usr.sbin.smbd-shares file...
If you use a samba package that updates this file (in other words: a package from the samba:* repo), you can just add an include rule to the smbd profile to include local/usr.sbin.smbd-shares.
Nobody asked me what rules I added. The error caused by a missing rule: /srv/samba-share/ rl
;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=688040 https://bugzilla.novell.com/show_bug.cgi?id=688040#c Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|INVALID |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com