Hello, On Mon, 29 Apr 2019 11:18:27 +0200 Louis van Belle wrote: > File : /etc/apparmor.d/usr.sbin.ntpd > Wrong: > # samba4 ntp signing socket > /{,var/}run/samba/ntp_signd/socket rw, > > Correct: > # To sign replies to MS-SNTP clients by the smbd daemon in /var/lib/samba > /var/lib/samba/ntp_signd r,
This line looks wrong (or, more likely, superfluous). According to the next rule you added, /var/lib/samba/ntp_signd is a directory. However, to give permissions for a directory, it needs to have a trailing slash: /var/lib/samba/ntp_signd/ r, Since things work for you without the additional slash, that means that you probably don't need this rule. > /var/lib/samba/ntp_signd/{,*} rw, This rule includes directory access (directory listing and, thanks to the w, mkdir). However I wonder if it really needs to be that broad - the old rule only allowed access to .../ntp_signd/socket, not to the directory listing, and not to other files in that directory. I have a feeling that you wrote these rules based on assumptions, but I'd prefer to base them on audit.log events ;-) Can you please provide the AppArmor DENIED (or ALLOWED if running in complain mode) lines you got for the samba profile? BTW: Upstream AppArmor prefers to stay backwards-compatible, so it might be a good idea to allow the "wrong" and the "correct" path - the "wrong" path probably was correct a while ago, and maybe some people still use it? (questionmark intentional - you are the samba expert ;-) > # samba4 winbindd pipe > /{,var/}run/samba/winbindd r, Another useless (and superfluous) directory rule without a trailing slash, please delete it. BTW: Do you use the samba profiles from upstream AppArmor? - If so, please contribute your additions upstream at https://gitlab.com/apparmor/apparmor/ - If not - why? ;-) Regards, Christian Boltz -- what is Office? Is that software I need if I work in an office (e.g. patience game)? [Stephan Kulow in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.