Hi,
I did a full update this morning, so the apparmor update was installed
at the same time as the smb update.
# zypper if apparmor-profiles
...
Information for package apparmor-profiles:
------------------------------------------
Repository : SLE-Module-Basesystem15-SP3-Updates
Name : apparmor-profiles
Version : 2.13.6-150300.3.11.2
Arch : noarch
Vendor : SUSE LLC https://www.suse.com/
Support Level : Level 3
Installed Size : 1.5 MiB
Installed : Yes (automatically)
Status : up-to-date
On Wed, Feb 2, 2022 at 2:09 PM Christian Boltz
Hello,
Am Mittwoch, 2. Februar 2022, 13:02:09 CET schrieb Wilfred van Velzen:
I don't really need it because I don't need printing through samba, but I'm curious, so I tried it:
# aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Target profile exists: /etc/apparmor.d/samba-bgqd
Profile: smbd Execute: /usr/lib64/samba/samba-bgqd Severity: unknown
That looks like you don't have the latest AppArmor packages installed. Please make sure to have AppArmor 2.13.6 - the update was released only 21 hours ago.
See https://bugzilla.opensuse.org/show_bug.cgi?id=1195412 for some more details.
(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
That's the prompt you get when AppArmor hits an "exec" event (a program executed another program, without having a rule for it yet).
The options listed let you choose if the program gets executed under the same AppArmor profile (inherit), or with a separate profile.
<shameless plug> If you want to learn what these options mean, have a look at my "AppArmor Crash Course". You can find the slides on blog.cboltz.de, and a recording on media.ccc.de: https://media.ccc.de/v/786-apparmor-crash-course (Note: The recording is from 2016, but it only misses a few feature additions. There's also a newer german recording on media.ccc.de)
The security guide on doc.opensuse.org should also get you started.
I have no clue what to choose here. And there seems to be a big discrepancy with 'man aa-logprof' because it only mentions and explains these options:
(A)llow, (D)eny, (I)gnore, (N)ew, (G)lob last piece, (Q)uit
That's the prompt you get when a program tries to access (read, write, lock etc.) a file.
Regards,
Christian Boltz -- * pfak cries in a corner <pfak> You think I'm joking. But my desk at work is in a corner. <sarnold> that's just smart planning <sarnold> put the guy who knows how everything works in the corner, so when he wants to cry in a corner, *bam*, synergies and efficiencies! [from #apparmor]
-- Met vriendelijke groet / Best regards, Wilfred van Velzen