Hello,
On Mon, 29 Apr 2019 11:18:27 +0200 Louis van Belle wrote:
> File : /etc/apparmor.d/usr.sbin.ntpd
> Wrong:
> # samba4 ntp signing socket
> /{,var/}run/samba/ntp_signd/socket rw,
>
> Correct:
> # To sign replies to MS-SNTP clients by the smbd daemon in /var/lib/samba
> /var/lib/samba/ntp_signd r,
This line looks wrong (or, more likely, superfluous). According to the
next rule you added, /var/lib/samba/ntp_signd is a directory. However,
to give permissions for a directory, it needs to have a trailing slash:
/var/lib/samba/ntp_signd/ r,
Since things work for you without the additional slash, that means that
you probably don't need this rule.
> /var/lib/samba/ntp_signd/{,*} rw,
This rule includes directory access (directory listing and, thanks to
the w, mkdir).
However I wonder if it really needs to be that broad - the old rule only
allowed access to .../ntp_signd/socket, not to the directory listing,
and not to other files in that directory.
I have a feeling that you wrote these rules based on assumptions, but
I'd prefer to base them on audit.log events ;-)
Can you please provide the AppArmor DENIED (or ALLOWED if running in
complain mode) lines you got for the samba profile?
BTW: Upstream AppArmor prefers to stay backwards-compatible, so it might
be a good idea to allow the "wrong" and the "correct" path - the "wrong"
path probably was correct a while ago, and maybe some people still use it?
(questionmark intentional - you are the samba expert ;-)
> # samba4 winbindd pipe
> /{,var/}run/samba/winbindd r,
Another useless (and superfluous) directory rule without a trailing
slash, please delete it.
BTW: Do you use the samba profiles from upstream AppArmor?
- If so, please contribute your additions upstream at
https://gitlab.com/apparmor/apparmor/
- If not - why? ;-)
Regards,
Christian Boltz
--
what is Office? Is that software I need if I work in an office
(e.g. patience game)? [Stephan Kulow in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
