Hello, $subject.
quoting https://bugzilla.opensuse.org/show_bug.cgi?id=991901#c2 the net_admin DENIED error happens for smbd, winbind & nmb. This is related to systemd and how samba communicates with it. Additionally that the operation is denied is not a problem imho as the systemd code handles the EPERM gracefully. Briefly all the samba daemons call 'become_daemon', see https://git.samba.org/?p=samba.git;a=blob;f=lib/util/become_daemon.c;h=9979fad569d993aa982d4074761a62f45cc6e95b;hb=HEAD#l66 The sd_notifyf in that function ends up calling fd_inc_sndbuf, see https://github.com/systemd/systemd/blob/master/src/libsystemd/sd-daemon/sd-daemon.c#L404 https://github.com/systemd/systemd/blob/master/src/basic/socket-util.c#L754 and this results in the strace snippet as shown in comment #0 I propose this patch for trunk, 2.10 and 2.9. [ samba-deny-net_admin.diff ] === modified file 'profiles/apparmor.d/abstractions/samba' --- profiles/apparmor.d/abstractions/samba 2016-07-26 19:12:35 +0000 +++ profiles/apparmor.d/abstractions/samba 2016-08-04 18:57:31 +0000 @@ -9,6 +9,8 @@ # # ------------------------------------------------------------------ + deny capability net_admin, + /etc/samba/* r, /usr/lib*/ldb/*.so mr, /usr/share/samba/*.dat r, Regards, Christian Boltz -- never touch a running system ----> for windows: never touch the keyboard of a running system
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
