On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote: > when using smbldap-useradd using this smb.conf entry > add machine script = /usr/sbin/smbldap-useradd -t 5 -w "%u" > smbd obviously needs x permissions for smbldap-useradd. > > The patch also adds a new profile for usr.sbin.smbldap-useradd (based on > the audit.log from alexis Pellicier). > > Additionally, I moved the "/etc/samba/* rwk" rule next to the other > /etc-related rules in the smbd profile. > > References: https://bugzilla.novell.com/show_bug.cgi?id=738041 > > I also nominate this patch for the 2.7 branch - even if it adds a new > profile, it's "just" a bugfix (and I doubt someone calls smbldap-useradd > manually).
Acked-By: Steve Beattie <[email protected]> for trunk and 2.7 with the changes made in response to the feedback from Kees. Thanks! > === modified file 'profiles/apparmor.d/usr.sbin.smbd' > --- profiles/apparmor.d/usr.sbin.smbd 2011-12-29 16:34:01 +0000 > +++ profiles/apparmor.d/usr.sbin.smbd 2012-01-02 21:56:10 +0000 > @@ -23,11 +23,12 @@ > /etc/mtab r, > /etc/netgroup r, > /etc/printcap r, > + /etc/samba/* rwk, > /proc/*/mounts r, > /proc/sys/kernel/core_pattern r, > /usr/lib*/samba/vfs/*.so mr, > /usr/sbin/smbd mr, > - /etc/samba/* rwk, > + /usr/sbin/smbldap-useradd Px, > /var/cache/samba/** rwk, > /var/cache/samba/printing/printers.tdb mrw, > /var/lib/samba/** rwk, > > === added file 'profiles/apparmor.d/usr.sbin.smbldap-useradd' > --- profiles/apparmor.d/usr.sbin.smbldap-useradd 1970-01-01 00:00:00 > +0000 > +++ profiles/apparmor.d/usr.sbin.smbldap-useradd 2012-01-04 18:34:43 > +0000 > @@ -0,0 +1,39 @@ > +# Last Modified: Tue Jan 3 00:17:40 2012 > +#include <tunables/global> > + > +/usr/sbin/smbldap-useradd { > + #include <abstractions/base> > + #include <abstractions/bash> > + #include <abstractions/nameservice> > + #include <abstractions/perl> > + > + /dev/tty rw, > + /bin/bash ix, > + /etc/init.d/nscd Cx, > + /etc/shadow r, > + /etc/smbldap-tools/smbldap.conf r, > + /etc/smbldap-tools/smbldap_bind.conf r, > + /usr/sbin/smbldap-useradd r, > + /usr/sbin/smbldap_tools.pm r, > + /var/log/samba/log.smbd w, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.sbin.smbldap-useradd> > + > + profile /etc/init.d/nscd { > + #include <abstractions/base> > + #include <abstractions/nameservice> > + > + capability sys_ptrace, > + > + /bin/bash r, > + /bin/mountpoint rix, > + /bin/systemctl rix, > + /dev/tty rw, > + /etc/init.d/nscd r, > + /etc/rc.status r, > + /proc/filesystems r, > + /proc/meminfo r, > + > + } > +} > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
