Hello, Noel, your mails didn't reach the ML, but since you had factory in the "To", I'll answer in public. Am Mittwoch, 9. November 2022, 15:24:45 CET schrieb Noel Power:

On 09/11/2022 09:41, Noel Power wrote:

...

On 08/11/2022 21:13, Christian Boltz wrote: [...]

...

That said - I'm surprised why smbd wants to write the pid file of samba-bgqd.

Carlos, thanks for sending the logs to me. They contained only a few AppArmor-related lines, two denials (on Nov 3 8:48 CET) and a profile reload two days later (on Nov 5 18:58 CET): type=AVC msg=audit(1667461690.822:173): apparmor="DENIED" operation="open" profile="smbd" name="/proc/2524/fd/" pid=2524 comm="samba-bgqd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1667461690.826:174): apparmor="DENIED" operation="mknod" profile="smbd" name="/run/samba/samba-bgqd.pid" pid=2524 comm="samba-bgqd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 type=AVC msg=audit(1667671097.142:9808): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="smbd" pid=19418 comm="apparmor_parser" The DENIED lines match what aa-logprof asked you. However, the strange thing is that the log lines say profile="smbd" and comm="samba-bgqd", which means the program samba-bgqd runs under the smbd profile. That's surprising because the smbd has a Px rule for it, so it should run under its own samba-bgqd profile. [I first also wondered because Leap 15.3 comes with AppArmor 2.13.6 which doesn't have any rules for samba-bgqd in the upstream profile - but that part became clear when I noticed that the samba-bgqd profile was backported and released as update for 15.3.] That leaves us with the question why samba-bgqd did run under the smbd profile, while (according to the Px rule) it should run under its own profile. Carlos, if you remove the two added rules from the smbd profile again and reload the profiles with systemctl reload apparmor - do you get similar DENIED events again?

...

...

@Noel: does this sound correct to you? (I know that smbd starts samba-bgqd, but I'd expect - without looking at any source code - that samba-bgqd writes its pid file.)

offhand this seems strange to me, I know it needs read access to this file... I quickly looked at the code and don't see anything, I'll try to dig a bit deeper.

hmm, I tried to reproduce this on latest tumbleweed (with samba-4.17.2) but couldn't, are there any more details (bug ?) in fact on tw I don't get any hits in audit log for samba-bgqd and it picks up my local printer. If I could reproduce it then between strace and log entries I'd have a better chance to try and find where in the code this happens (can't see anything suspicious in the source)

See above - the log lines indicate that something strange is going on. Also note that it happened on 15.3, which has a few ;-) differences to Tumbleweed. Regards, Christian Boltz -- Hochleistungswebspace Das sind public-html-Verzeichnisse, die jeden Morgen zwanzig Liegestütze machen, und mit Testosteron vollgepumpt sind. [Markus Schaber]