[Bug 846054] New: Default samba apparmor profile denies its usage
https://bugzilla.novell.com/show_bug.cgi?id=846054 https://bugzilla.novell.com/show_bug.cgi?id=846054#c0 Summary: Default samba apparmor profile denies its usage Classification: openSUSE Product: openSUSE 13.1 Version: RC 1 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: luizluca@tre-sc.gov.br QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36 Hello, The default profile is not allowing samba to work properly: For winbind (for smb.conf.tresc, I use a symlink smb.conf -> smb.conf.tresc) : type=1400 audit(1381783806.863:33): apparmor="DENIED" operation="open" parent=2024 profile="/usr/sbin/winbindd" name="/usr/share/samba/codepages/upcase.dat" pid=2025 type=1400 audit(1381783806.863:34): apparmor="DENIED" operation="open" parent=2024 profile="/usr/sbin/winbindd" name="/usr/share/samba/codepages/lowcase.dat" pid=2025 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381783806.974:35): apparmor="DENIED" operation="open" parent=2024 profile="/usr/sbin/winbindd" name="/etc/samba/smb.conf.tresc" pid=2025 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381784934.834:46): apparmor="DENIED" operation="rename_src" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/winbindd_cache.tdb.bak" pid=4664 comm="winbindd" requested_mask="rwd" denied_mask="rwd" fsuid=0 ouid=0 type=1400 audit(1381784934.835:47): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/winbindd" name="/var/lib/samba/winbindd_cache.tdb.bak.tmp" pid=4664 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=1400 audit(1381784934.835:48): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/winbindd" name="/var/cache/samba/netsamlogon_cache.tdb" pid=4664 comm="winbindd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0 type=1400 audit(1381784934.835:49): apparmor="DENIED" operation="truncate" parent=1 profile="/usr/sbin/winbindd" name="/var/cache/samba/netsamlogon_cache.tdb" pid=4664 comm="winbindd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 type=1400 audit(1381784934.835:50): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/winbindd" name="/var/cache/samba/netsamlogon_cache.tdb" pid=4664 comm="winbindd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0 type=1400 audit(1381784934.866:51): apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/winbindd" name="/var/run/samba/winbindd/" pid=4664 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 For smbd (specially tdbsam.so is fatal): type=1400 audit(1381784615.634:37): apparmor="DENIED" operation="open" parent=4321 profile="/usr/sbin/smbd" name="/usr/share/samba/codepages/upcase.dat" pid=4322 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381784615.634:38): apparmor="DENIED" operation="open" parent=4321 profile="/usr/sbin/smbd" name="/usr/share/samba/codepages/lowcase.dat" pid=4322 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381784615.727:39): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/sbin/smbd" name="/usr/lib64/samba/pdb/tdbsam.so" pid=4323 comm="smbd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0 And nmbd type=1400 audit(1381784935.224:52): apparmor="DENIED" operation="open" parent=4764 profile="/usr/sbin/nmbd" name="/usr/share/samba/codepages/upcase.dat" pid=4765 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=1400 audit(1381785084.057:64): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/nmbd" name="/var/cache/samba/gencache.tdb" pid=4766 comm="nmbd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0 type=1400 audit(1381841171.493:34): apparmor="DENIED" operation="open" parent=1351 profile="/usr/sbin/nmbd" name="/usr/share/samba/codepages/lowcase.dat" pid=1352 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Reproducible: Always Steps to Reproduce: 1.Disable apparmor 2.Configure samba 3.Enable apparmor 4.Restart samba Actual Results: 5.Samba fails to run with multiple "access denied" Expected Results: 5.Normal usage should be allowed in default apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c1
--- Comment #1 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c2
--- Comment #2 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c3
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c4
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c5
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c6
--- Comment #6 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c7
--- Comment #7 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c8
--- Comment #8 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c9
--- Comment #9 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c10
--- Comment #10 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c11
--- Comment #11 from Christian Boltz
This is an autogenerated message for OBS integration: This bug (846054) was mentioned in https://build.opensuse.org/request/show/205609 Factory / apparmor
Sorry, wrong bug number in the changelog - ignore this SR here ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c12
Silviu Marin-Caea
https://bugzilla.novell.com/show_bug.cgi?id=846054
https://bugzilla.novell.com/show_bug.cgi?id=846054#c13
Christian Boltz
Apparmor still causes samba problems in 13.1 final with all updates. It denies a directory creation and samba fails to start.
That's a regression caused by the samba update (see bug 856651). I submitted an updated package yesterday, but it usually takes a week or two for QA tests etc. until it's released in the official update repo. You can install the apparmor-profiles package from the security:apparmor repo if you want the fixed profiles now. Nevertheless, thanks for the report ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com