http://bugzilla.opensuse.org/show_bug.cgi?id=1166407
http://bugzilla.opensuse.org/show_bug.cgi?id=1166407#c7
--- Comment #7 from Philippe Andersson ---
OK -- two more issues have been spotted.
1./ current AppArmor profiles prevent Samba log rotation
----------------------------------------------------
In /etc/apparmor.d/abstractions/samba (latest available stable version: 15.1,
fully patched), we see this:
/var/log/samba/* w,
In order to allow rotation of log.smbd, log.nmbd, etc. to *.old, that should
be:
/var/log/samba/* rwk,
(not sure the 'k' is strictly needed)
2./ the AD DC process itself has no AppArmor profile
------------------------------------------------
The main process on a Samba4 AD DC is '/usr/sbin/samba'. That process doesn't
have *any* AppArmor profile, even though I suspect it would be the most
critical / vulnerable one.
--
You are receiving this mail because:
You are on the CC list for the bug.