Control: tags -1 moreinfo
Hi Louis, On Mon, Apr 29, 2019 at 11:20:51AM +0200, Louis van Belle wrote:
Package: chrony
Severity: important
Hello, after a few messages on the samba list we discovered a wrong path in the
apparmor profiles of chrony.
File : /etc/apparmor.d/usr.sbin.chrony
Wrong:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
We don’t have this rule in our AppArmor profile. I think that one is from ntpd, right?
Correct:
# To sign replies to MS-SNTP clients by the smbd daemon in /var/lib/samba
/var/lib/samba/ntp_signd r,
/var/lib/samba/ntp_signd/{,*} rw,
These rules are already in the chronyd AppArmor profile.
# samba4 winbindd pipe
/{,var/}run/samba/winbindd r,
/{,var/}run/samba/winbindd/pipe r,
# samba4 winbindd_privileged pipe ? Needed, not sure here.
/var/lib/samba/winbindd_privileged r,
/var/lib/samba/winbindd/pipe r,
Ok, so before addding these changes to the profile, I would be more comfortable if someone could show me what access is currently denied on this kind of environment. Having the output of something like `grep -s 'DENIED' /var/log/syslog /var/log/auditd/audit.log' would be great.
From what I can see, ntp’s Apparmor profile include: # samba4 winbindd pipe /run/samba/winbindd/pipe rw,
please verify the last one, im not a coder, sorry. Now, above changes are important to have before the buster release, because it could stop the timesync of domain joined pc's.
Indeed, I think it is important to have this issue sorted out prior our next stable release.
Best regards, Louis
Thanks for your report, Vincent
signature.asc
Description: PGP signature
