https://bugzilla.novell.com/show_bug.cgi?id=846054 https://bugzilla.novell.com/show_bug.cgi?id=846054#c0 Summary: Default samba apparmor profile denies its usage Classification: openSUSE Product: openSUSE 13.1 Version: RC 1 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: luizluca@tre-sc.gov.br QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36 Hello, The default profile is not allowing samba to work properly: For winbind (for smb.conf.tresc, I use a symlink smb.conf -> smb.conf.tresc) : type=1400 audit(1381783806.863:33): apparmor="DENIED" operation="open" parent=2024 profile="/usr/sbin/winbindd" name="/usr/share/samba/codepages/upcase.dat" pid=2025 type=1400 audit(1381783806.863:34): apparmor="DENIED" operation="open" parent=2024 profile="/usr/sbin/winbindd" name="/usr/share/samba/codepages/lowcase.dat" pid=2025 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381783806.974:35): apparmor="DENIED" operation="open" parent=2024 profile="/usr/sbin/winbindd" name="/etc/samba/smb.conf.tresc" pid=2025 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381784934.834:46): apparmor="DENIED" operation="rename_src" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/winbindd_cache.tdb.bak" pid=4664 comm="winbindd" requested_mask="rwd" denied_mask="rwd" fsuid=0 ouid=0 type=1400 audit(1381784934.835:47): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/winbindd_cache.tdb.bak.tmp" pid=4664 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=1400 audit(1381784934.835:48): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/winbindd" name="/var/cache/samba/netsamlogon_cache.tdb" pid=4664 comm="winbindd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0 type=1400 audit(1381784934.835:49): apparmor="DENIED" operation="truncate" parent=1 profile="/usr/sbin/winbindd" name="/var/cache/samba/netsamlogon_cache.tdb" pid=4664 comm="winbindd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 type=1400 audit(1381784934.835:50): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/winbindd" name="/var/cache/samba/netsamlogon_cache.tdb" pid=4664 comm="winbindd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0 type=1400 audit(1381784934.866:51): apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/winbindd" name="/var/run/samba/winbindd/" pid=4664 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 For smbd (specially tdbsam.so is fatal): type=1400 audit(1381784615.634:37): apparmor="DENIED" operation="open" parent=4321 profile="/usr/sbin/smbd" name="/usr/share/samba/codepages/upcase.dat" pid=4322 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381784615.634:38): apparmor="DENIED" operation="open" parent=4321 profile="/usr/sbin/smbd" name="/usr/share/samba/codepages/lowcase.dat" pid=4322 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381784615.727:39): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/sbin/smbd" name="/usr/lib64/samba/pdb/tdbsam.so" pid=4323 comm="smbd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0 And nmbd type=1400 audit(1381784935.224:52): apparmor="DENIED" operation="open" parent=4764 profile="/usr/sbin/nmbd" name="/usr/share/samba/codepages/upcase.dat" pid=4765 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381785084.057:64): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/nmbd" name="/var/cache/samba/gencache.tdb" pid=4766 comm="nmbd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0 type=1400 audit(1381841171.493:34): apparmor="DENIED" operation="open" parent=1351 profile="/usr/sbin/nmbd" name="/usr/share/samba/codepages/lowcase.dat" pid=1352 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Reproducible: Always Steps to Reproduce: 1.Disable apparmor 2.Configure samba 3.Enable apparmor 4.Restart samba Actual Results: 5.Samba fails to run with multiple "access denied" Expected Results: 5.Normal usage should be allowed in default apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.