[apparmor] [patch] smbd profile + smbldap-useradd

[Christian Boltz]

Hello,

when using smbldap-useradd using this smb.conf entry
    add machine script = /usr/sbin/smbldap-useradd -t 5 -w "%u"
smbd obviously needs x permissions for smbldap-useradd.

The patch also adds a new profile for usr.sbin.smbldap-useradd (based on 
the audit.log from alexis Pellicier).

Additionally, I moved the "/etc/samba/* rwk" rule next to the other 
/etc-related rules in the smbd profile.

References: https://bugzilla.novell.com/show_bug.cgi?id=738041

I also nominate this patch for the 2.7 branch - even if it adds a new 
profile, it's "just" a bugfix (and I doubt someone calls smbldap-useradd 
manually).


Regards,

Christian Boltz
-- 
>> BTW an alle: ich weiss nicht, wie ich auf die Leser hier wirke, ich
>> kann da nur aus den Mails ableiten, aber wenn ich mal daneben liege,
>> dann will ich korrigiert werden bzw. einen Widerspruch bekommen.
> Dein Wunsch sei Dir erfüllt ;-)
*g* Danke.
[>> David Haller und > Christian Boltz in suse-linux]

=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd	2011-12-29 16:34:01 +0000
+++ profiles/apparmor.d/usr.sbin.smbd	2012-01-02 21:56:10 +0000
@@ -23,11 +23,12 @@
   /etc/mtab r,
   /etc/netgroup r,
   /etc/printcap r,
+  /etc/samba/* rwk,
   /proc/*/mounts r,
   /proc/sys/kernel/core_pattern r,
   /usr/lib*/samba/vfs/*.so mr,
   /usr/sbin/smbd mr,
-  /etc/samba/* rwk,
+  /usr/sbin/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/cache/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,

=== added file 'profiles/apparmor.d/usr.sbin.smbldap-useradd'
--- profiles/apparmor.d/usr.sbin.smbldap-useradd	1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/usr.sbin.smbldap-useradd	2012-01-04 18:34:43 +0000
@@ -0,0 +1,39 @@
+# Last Modified: Tue Jan  3 00:17:40 2012
+#include <tunables/global>
+
+/usr/sbin/smbldap-useradd {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+  #include <abstractions/nameservice>
+  #include <abstractions/perl>
+
+  /dev/tty rw,
+  /bin/bash ix,
+  /etc/init.d/nscd Cx,
+  /etc/shadow r,
+  /etc/smbldap-tools/smbldap.conf r,
+  /etc/smbldap-tools/smbldap_bind.conf r,
+  /usr/sbin/smbldap-useradd r,
+  /usr/sbin/smbldap_tools.pm r,
+  /var/log/samba/log.smbd w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.smbldap-useradd>
+
+  profile /etc/init.d/nscd {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+
+    capability sys_ptrace,
+
+    /bin/bash r,
+    /bin/mountpoint rix,
+    /bin/systemctl rix,
+    /dev/tty rw,
+    /etc/init.d/nscd r,
+    /etc/rc.status r,
+    /proc/filesystems r,
+    /proc/meminfo r,
+
+  }
+}


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor