Hello, when using smbldap-useradd using this smb.conf entry add machine script = /usr/sbin/smbldap-useradd -t 5 -w "%u" smbd obviously needs x permissions for smbldap-useradd.
The patch also adds a new profile for usr.sbin.smbldap-useradd (based on the audit.log from alexis Pellicier). Additionally, I moved the "/etc/samba/* rwk" rule next to the other /etc-related rules in the smbd profile. References: https://bugzilla.novell.com/show_bug.cgi?id=738041 I also nominate this patch for the 2.7 branch - even if it adds a new profile, it's "just" a bugfix (and I doubt someone calls smbldap-useradd manually). Regards, Christian Boltz -- >> BTW an alle: ich weiss nicht, wie ich auf die Leser hier wirke, ich >> kann da nur aus den Mails ableiten, aber wenn ich mal daneben liege, >> dann will ich korrigiert werden bzw. einen Widerspruch bekommen. > Dein Wunsch sei Dir erfüllt ;-) *g* Danke. [>> David Haller und > Christian Boltz in suse-linux]
=== modified file 'profiles/apparmor.d/usr.sbin.smbd' --- profiles/apparmor.d/usr.sbin.smbd 2011-12-29 16:34:01 +0000 +++ profiles/apparmor.d/usr.sbin.smbd 2012-01-02 21:56:10 +0000 @@ -23,11 +23,12 @@ /etc/mtab r, /etc/netgroup r, /etc/printcap r, + /etc/samba/* rwk, /proc/*/mounts r, /proc/sys/kernel/core_pattern r, /usr/lib*/samba/vfs/*.so mr, /usr/sbin/smbd mr, - /etc/samba/* rwk, + /usr/sbin/smbldap-useradd Px, /var/cache/samba/** rwk, /var/cache/samba/printing/printers.tdb mrw, /var/lib/samba/** rwk, === added file 'profiles/apparmor.d/usr.sbin.smbldap-useradd' --- profiles/apparmor.d/usr.sbin.smbldap-useradd 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/usr.sbin.smbldap-useradd 2012-01-04 18:34:43 +0000 @@ -0,0 +1,39 @@ +# Last Modified: Tue Jan 3 00:17:40 2012 +#include <tunables/global> + +/usr/sbin/smbldap-useradd { + #include <abstractions/base> + #include <abstractions/bash> + #include <abstractions/nameservice> + #include <abstractions/perl> + + /dev/tty rw, + /bin/bash ix, + /etc/init.d/nscd Cx, + /etc/shadow r, + /etc/smbldap-tools/smbldap.conf r, + /etc/smbldap-tools/smbldap_bind.conf r, + /usr/sbin/smbldap-useradd r, + /usr/sbin/smbldap_tools.pm r, + /var/log/samba/log.smbd w, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.smbldap-useradd> + + profile /etc/init.d/nscd { + #include <abstractions/base> + #include <abstractions/nameservice> + + capability sys_ptrace, + + /bin/bash r, + /bin/mountpoint rix, + /bin/systemctl rix, + /dev/tty rw, + /etc/init.d/nscd r, + /etc/rc.status r, + /proc/filesystems r, + /proc/meminfo r, + + } +}
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor