subject:"\[Touch\-packages\] \[Bug 1979879\] Re\: Apparmor profile in 22.04 jammy \- fails to start when printing enabled"

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2023-11-27 Thread Andreas Hasenack

** Description changed:

  [Impact]
  
  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
  
  will experience an error in starting the smbd service in jammy:
  
  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.
  
  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles, and
  as a result its execution is denied.
  
  The chosen fix for this is to change the path of samba-bgqd in the samba
  apparmor profiles to match where it is actually being installed in the
  jammy packaging. Changing the actual path in the samba packaging would
  be a more invasive fix.
  
  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.
  
  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.
  
  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on its
  own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.
  
  [Test Plan]
  
  Make a container for testing:
  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
  
- Install the needed packages in this order, with two separate commands:L
+ Install the needed packages in this order, with two separate commands:
  # apt update
  # apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  # apt install samba smbclient cups cups-client
  
  Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  
  smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
  
  Change the samba profiles to enforce mode:
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
  Restart smbd:
  # systemctl restart smbd
  
  systemctl won't complain, but smbd failed to start:
  # ps faxZ | grep smbd | grep -v grep
  #
  
  # tail -2 /var/log/samba/log.smbd
  [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
  [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=100 ouid=100
  
  After installing the fixed package (and accepting the dpkg conf prompt
  changes), the new profile will be loaded in complain mode again. So
  let's put it in enforce mode one more time:
  
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
  Restart:
  # systemctl restart smbd
  
  And confirm that smbd and samba-bgqd are running this time, and in
  enforce mode:
  
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  avahi-daemon (complain)4363 ?Ss 0:00 avahi-daemon: 
running [j-samba-bgqd-apparmor.local]
  smbd (enforce) 6734 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (enforce) 6736 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (enforce) 6737 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  samba-bgqd (enforce)   6738 ?S  0:00  \_ 
/usr/lib/x86_64-linux-gnu/samba/samba-bgqd

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2023-05-25 Thread Andreas Hasenack

I'll check the current status

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  In Progress

Bug description:
  [Impact]

  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;

  will experience an error in starting the smbd service in jammy:

  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13

  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.

  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles,
  and as a result its execution is denied.

  The chosen fix for this is to change the path of samba-bgqd in the
  samba apparmor profiles to match where it is actually being installed
  in the jammy packaging. Changing the actual path in the samba
  packaging would be a more invasive fix.

  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.

  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.

  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on
  its own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.

  [Test Plan]

  Make a container for testing:

  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test

  Install the needed packages in this order, with two separate commands:L
  # apt update
  # apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  # apt install samba smbclient cups cups-client

  Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep

  smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd

  Change the samba profiles to enforce mode:
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.

  Restart smbd:
  # systemctl restart smbd

  systemctl won't complain, but smbd failed to start:
  # ps faxZ | grep smbd | grep -v grep
  #

  # tail -2 /var/log/samba/log.smbd
  [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13

  And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
  [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=100 ouid=100

  After installing the fixed package (and accepting the dpkg conf prompt
  changes), the new profile will be loaded in complain mode again. So
  let's put it in enforce mode one more time:

  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.

  Restart:
  # systemctl restart smbd

  And confirm that smbd and samba-bgqd are running this time, and in
  enforce mode:

  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  avahi-daemon (complain)4363 ?Ss 0:00 avahi-daemon: 
running [j-samba-bgqd-apparmor.local]
  smbd (enforce) 6734 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (enforce)

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-11-24 Thread Andreas Hasenack

There is another ongoing apparmor sru for jammy[1] that is using the
same version number. That one has been uploaded already for some time
and the bug shows it's making progress. I'm not going to ask this change
here to be included in that one, because it's further in the SRU process
than this one is, and has more complicated considerations.

I will wait for that one to be accepted into proposed and processes, and
then upload this one here with a version bump.

I'll remove the server todo tag, since I'm subscribed to the bugs and
will be able to monitor the progress of #1994146.


1. https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146

** Tags removed: server-todo

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  In Progress

Bug description:
  [Impact]

  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;

  will experience an error in starting the smbd service in jammy:

  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13

  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.

  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles,
  and as a result its execution is denied.

  The chosen fix for this is to change the path of samba-bgqd in the
  samba apparmor profiles to match where it is actually being installed
  in the jammy packaging. Changing the actual path in the samba
  packaging would be a more invasive fix.

  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.

  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.

  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on
  its own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.

  [Test Plan]

  Make a container for testing:

  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test

  Install the needed packages in this order, with two separate commands:L
  # apt update
  # apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  # apt install samba smbclient cups cups-client

  Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep

  smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd

  Change the samba profiles to enforce mode:
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.

  Restart smbd:
  # systemctl restart smbd

  systemctl won't complain, but smbd failed to start:
  # ps faxZ | grep smbd | grep -v grep
  #

  # tail -2 /var/log/samba/log.smbd
  [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13

  And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
  [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=100 ouid=100

  After installing the fixed package (and accepting the dpkg conf prompt
  changes), the new profile will be loaded in complain mode again. So

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-11-24 Thread Andreas Hasenack

** Description changed:

  [Impact]
  
  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
  
  will experience an error in starting the smbd service in jammy:
  
  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.
  
  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles, and
  as a result its execution is denied.
  
  The chosen fix for this is to change the path of samba-bgqd in the samba
  apparmor profiles to match where it is actually being installed in the
  jammy packaging. Changing the actual path in the samba packaging would
  be a more invasive fix.
  
  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.
  
  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.
  
  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on its
  own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.
  
  [Test Plan]
  
  Make a container for testing:
  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
  
  Install the needed packages in this order, with two separate commands:L
  # apt update
  # apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  # apt install samba smbclient cups cups-client
  
  Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  
  smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
  
  Change the samba profiles to enforce mode:
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
  Restart smbd:
  # systemctl restart smbd
  
  systemctl won't complain, but smbd failed to start:
  # ps faxZ | grep smbd | grep -v grep
  #
  
  # tail -2 /var/log/samba/log.smbd
  [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
  [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=100 ouid=100
  
  After installing the fixed package (and accepting the dpkg conf prompt
  changes), the new profile will be loaded in complain mode again. So
  let's put it in enforce mode one more time:
  
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
  Restart:
  # systemctl restart smbd
  
  And confirm that smbd and samba-bgqd are running this time, and in
  enforce mode:
  
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  avahi-daemon (complain)4363 ?Ss 0:00 avahi-daemon: 
running [j-samba-bgqd-apparmor.local]
  smbd (enforce) 6734 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (enforce) 6736 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (enforce) 6737 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  samba-bgqd (enforce)   6738 ?S  0:00  \_ 
/usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=45 
--parent-watch-fd=11 --debuglevel=0 -F
  
  Now that the

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-11-24 Thread Andreas Hasenack

** Description changed:

  [Impact]
  
  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
  
  will experience an error in starting the smbd service in jammy:
  
  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.
  
  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles, and
  as a result its execution is denied.
  
  The chosen fix for this is to change the path of samba-bgqd in the samba
  apparmor profiles to match where it is actually being installed in the
  jammy packaging. Changing the actual path in the samba packaging would
  be a more invasive fix.
  
  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.
  
  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.
  
  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on its
  own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.
  
  [Test Plan]
  
  Make a container for testing:
  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
  
  Install the needed packages in this order, with two separate commands:L
  # apt update
  # apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  # apt install samba smbclient cups cups-client
  
  Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  
  smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
  
  Change the samba profiles to enforce mode:
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
  Restart smbd:
  # systemctl restart smbd
  
  systemctl won't complain, but smbd failed to start:
  # ps faxZ | grep smbd | grep -v grep
  #
  
  # tail -2 /var/log/samba/log.smbd
  [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
  [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=100 ouid=100
  
  After installing the fixed package (and accepting the dpkg conf prompt
  changes), the new profile will be loaded in complain mode again. So
  let's put it in enforce mode one more time:
  
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
  Restart:
  # systemctl restart smbd
  
  And confirm that smbd and samba-bgqd are running this time, and in
  enforce mode:
  
- TBD
+ # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
+ avahi-daemon (complain)4363 ?Ss 0:00 avahi-daemon: 
running [j-samba-bgqd-apparmor.local]
+ smbd (enforce) 6734 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
+ smbd (enforce) 6736 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
+ smbd (enforce) 6737 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
+ samba-bgqd (enforce)   6738 ?S  0:00  \_ 
/usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=45 
--parent-watch-fd=11 --debuglevel=0 -F
+ 
+ Now

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-11-24 Thread Andreas Hasenack

** Description changed:

  [Impact]
  
  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
  
  will experience an error in starting the smbd service in jammy:
  
  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.
  
  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles, and
  as a result its execution is denied.
  
  The chosen fix for this is to change the path of samba-bgqd in the samba
  apparmor profiles to match where it is actually being installed in the
  jammy packaging. Changing the actual path in the samba packaging would
  be a more invasive fix.
  
  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.
  
  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.
  
  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on its
  own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.
  
  [Test Plan]
  
  Make a container for testing:
  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
  
- Install the needed packages:
- # apt update && apt install apparmor-profiles apparmor-utils samba
+ Install the needed packages in this order, with two separate commands:L
+ # apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
+ # apt install samba smbclient cups cups-client
  
  Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  
  smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
  
  Change the samba profiles to enforce mode:
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
  Restart smbd:
  # systemctl restart smbd
  
  systemctl won't complain, but smbd failed to start:
  root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
  root@jammy-test:~#
  
  # tail -2 /var/log/samba/log.smbd
  [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
  [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=100 ouid=100
  
  After installing the fixed package (and accepting the dpkg conf prompt
  changes), the new profile will be loaded in complain mode again. So
  let's put it in enforce mode one more time:
  
- # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd 
+ # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
  Restart:
  # systemctl restart smbd
  
  And confirm that smbd and samba-bgqd are running this time, and in
  enforce mode:
  
  TBD
  
  [Where problems could occur]
  An apparmor update will impact all ubuntu users, regardless if they are using 
samba or not. One has to weigh this carefully with the importance of the bug 
that is being fixed.
  
  This update will restart apparmor on the target system. All sorts of things 
can happen due to that:
  - all apparmor profiles will be reloaded and reapplied
  - if users have modified default profiles in /etc/apparmor.d/* (not inside 
local/*), they will get a dpkg conf prompt

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-11-09 Thread Christian Ehrhardt 

** Changed in: apparmor (Ubuntu Jammy)
 Assignee: Michał Małoszewski (michal-maloszewski99) => Andreas Hasenack 
(ahasenack)

** Changed in: apparmor (Ubuntu)
 Assignee: Michał Małoszewski (michal-maloszewski99) => Andreas Hasenack 
(ahasenack)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  In Progress

Bug description:
  [Impact]

  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;

  will experience an error in starting the smbd service in jammy:

  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13

  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.

  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles,
  and as a result its execution is denied.

  The chosen fix for this is to change the path of samba-bgqd in the
  samba apparmor profiles to match where it is actually being installed
  in the jammy packaging. Changing the actual path in the samba
  packaging would be a more invasive fix.

  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.

  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.

  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on
  its own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.

  [Test Plan]

  Make a container for testing:

  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test

  Install the needed packages:
  # apt update && apt install apparmor-profiles apparmor-utils samba

  Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep

  smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd

  Change the samba profiles to enforce mode:
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.

  Restart smbd:
  # systemctl restart smbd

  systemctl won't complain, but smbd failed to start:
  root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
  root@jammy-test:~#

  # tail -2 /var/log/samba/log.smbd
  [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13

  And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
  [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=100 ouid=100

  After installing the fixed package (and accepting the dpkg conf prompt
  changes), the new profile will be loaded in complain mode again. So
  let's put it in enforce mode one more time:

  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd 
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.

  Restart:
  # systemctl restart smbd

  And confirm that smbd and samba-bgqd are running this time, and in
  enforce mode:

  TBD

  [Where problems could occur]
  An apparmor update will impact all ubuntu users, regardless if they are using 
samba or not. One has to weigh this

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-09-09 Thread Andreas Hasenack

** Description changed:

  [Impact]
  
  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
  
  will experience an error in starting the smbd service in jammy:
  
  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.
  
  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles, and
  as a result its execution is denied.
  
  The chosen fix for this is to change the path of samba-bgqd in the samba
  apparmor profiles to match where it is actually being installed in the
  jammy packaging. Changing the actual path in the samba packaging would
  be a more invasive fix.
  
  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.
  
  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.
  
  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on its
  own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.
  
  [Test Plan]
  
  Make a container for testing:
  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
  
  Install the needed packages:
  # apt update && apt install apparmor-profiles apparmor-utils samba
  
  Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  
  smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
  
  Change the samba profiles to enforce mode:
- # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd 
+ # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
  Restart smbd:
  # systemctl restart smbd
  
  systemctl won't complain, but smbd failed to start:
  root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
- root@jammy-test:~# 
+ root@jammy-test:~#
  
  # tail -2 /var/log/samba/log.smbd
  [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
-   exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
+   exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
  [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=100 ouid=100
  
+ After installing the fixed package (and accepting the dpkg conf prompt
+ changes), the new profile will be loaded in complain mode again. So
+ let's put it in enforce mode one more time:
+ 
+ # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd 
+ Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
+ Setting /etc/apparmor.d/samba-bgqd to enforce mode.
+ 
+ Restart:
+ # systemctl restart smbd
+ 
+ And confirm that smbd and samba-bgqd are running this time, and in
+ enforce mode:
+ 
+ TBD
  
  [Where problems could occur]
  An apparmor update will impact all ubuntu users, regardless if they are using 
samba or not. One has to weigh this carefully with the importance of the bug 
that is being fixed.
  
  This update will restart apparmor on the target system. All sorts of things 
can happen due to that:
  - all apparmor profiles will be reloaded and reapplied
  - if users have modified default profiles in /etc/apparmor.d/* (not inside 
local/*), they will get a dpkg conf prompt during this update
  - in particular, users who have changed the samba

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-09-09 Thread Andreas Hasenack

** Description changed:

  [Impact]
  
  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
  
  will experience an error in starting the smbd service in jammy:
  
  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.
  
  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles, and
  as a result its execution is denied.
  
  The chosen fix for this is to change the path of samba-bgqd in the samba
  apparmor profiles to match where it is actually being installed in the
  jammy packaging. Changing the actual path in the samba packaging would
  be a more invasive fix.
  
  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.
  
  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.
  
  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on its
  own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.
  
  [Test Plan]
  
  Make a container for testing:
  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
  
- # First of all, install apparmor-profiles, apparmor-utils and samba.
+ Install the needed packages:
  # apt update && apt install apparmor-profiles apparmor-utils samba
  
- # Confirm that you have smbd and samba-bgqd processes confined and in 
complain mode (check first column):
+ Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  
  smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
- smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd 
+ smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
  
+ Change the samba profiles to enforce mode:
+ # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd 
+ Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
+ Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
- 4.Then check the dmesg output.
+ Restart smbd:
+ # systemctl restart smbd
  
- $ dmesg -T
+ systemctl won't complain, but smbd failed to start:
+ root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
+ root@jammy-test:~# 
  
- [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): 
apparmor="ALLOWED" operation="exec" 
namespace="root//lxd-jammy-apparmor-testMMilion1_" 
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 
comm="smbd" requested_mask="x" denied_mask="x" fsuid=100 ouid=100
- [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
- [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
- [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
- [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
+ # tail -2 /var/log/samba/log.smbd
+ [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
+   exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
- 5.At the end of the

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-09-09 Thread Andreas Hasenack

** Description changed:

  [Impact]
  
  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
  
  will experience an error in starting the smbd service in jammy:
  
  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.
  
  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles, and
  as a result its execution is denied.
  
  The chosen fix for this is to change the path of samba-bgqd in the samba
  apparmor profiles to match where it is actually being installed in the
  jammy packaging. Changing the actual path in the samba packaging would
  be a more invasive fix.
  
  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.
  
  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.
  
  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on its
  own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.
  
  [Test Plan]
  
- ** Reproduction **
- 
  Make a container for testing:
  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
  
- 1.First of all, install apparmor-profiles, apparmor-utils and samba.
- $ apt install apparmor-profiles apparmor-utils samba
+ # First of all, install apparmor-profiles, apparmor-utils and samba.
+ # apt update && apt install apparmor-profiles apparmor-utils samba
  
- 2.Perform proper command to display current running processes. (e.g. ps 
fauxZ).
- $ ps fauxZ
+ # Confirm that you have smbd and samba-bgqd processes confined and in 
complain mode (check first column):
+ # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  
- nmbd (complain) root2129  0.0  0.0  68720 10628 ? 
   Ss   16:43   0:00 /usr/sbin/nmbd --foreground --no-process-group
- smbd (complain) root2141  0.0  0.1  84840 16264 ? 
   Ss   16:43   0:00 /usr/sbin/smbd --foreground --no-process-group
- smbd (complain) root2143  0.0  0.0  82360  8544 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
- smbd (complain) root2144  0.0  0.0  82352  6820 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
+ smbd (complain)2432 ?Ss 0:00 /usr/sbin/smbd 
--foreground --no-process-group
+ smbd (complain)2434 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
+ smbd (complain)2435 ?S  0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
+ smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd 
  
- 3.At the end of the output, you should be able to see smbd(complain) in
- the left column.
  
  4.Then check the dmesg output.
  
  $ dmesg -T
  
  [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): 
apparmor="ALLOWED" operation="exec" 
namespace="root//lxd-jammy-apparmor-testMMilion1_" 
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 
comm="smbd" requested_mask="x" denied_mask="x" fsuid=100 ouid=100
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k"

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-09-09 Thread Andreas Hasenack

** Description changed:

  [Impact]
  
  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
  
  will experience an error in starting the smbd service in jammy:
  
  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.
  
  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles, and
  as a result its execution is denied.
  
  The chosen fix for this is to change the path of samba-bgqd in the samba
  apparmor profiles to match where it is actually being installed in the
  jammy packaging. Changing the actual path in the samba packaging would
  be a more invasive fix.
  
  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.
  
  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.
  
  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on its
  own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.
  
  [Test Plan]
  
  ** Reproduction **
  
  Make a container for testing:
  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
  
  1.First of all, install apparmor-profiles, apparmor-utils and samba.
  $ apt install apparmor-profiles apparmor-utils samba
  
  2.Perform proper command to display current running processes. (e.g. ps 
fauxZ).
  $ ps fauxZ
  
  nmbd (complain) root2129  0.0  0.0  68720 10628 ? 
   Ss   16:43   0:00 /usr/sbin/nmbd --foreground --no-process-group
  smbd (complain) root2141  0.0  0.1  84840 16264 ? 
   Ss   16:43   0:00 /usr/sbin/smbd --foreground --no-process-group
  smbd (complain) root2143  0.0  0.0  82360  8544 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
  smbd (complain) root2144  0.0  0.0  82352  6820 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
  
  3.At the end of the output, you should be able to see smbd(complain) in
  the left column.
  
  4.Then check the dmesg output.
  
  $ dmesg -T
  
  [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): 
apparmor="ALLOWED" operation="exec" 
namespace="root//lxd-jammy-apparmor-testMMilion1_" 
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 
comm="smbd" requested_mask="x" denied_mask="x" fsuid=100 ouid=100
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  
  5.At the end of the output, you will notice profile=”samba-bgqd”
  apparmor=”ALLOWED”
  
  6.Later, check the apparmor status using the aa-status command.
  
  $ aa-status
  
  24 profiles are in complain mode.
     avahi-daemon
     dnsmasq
     dnsmasq//libvirt_leaseshelper
     identd
     klogd
     mdnsd
     nmbd
     nscd
     php-fpm
     ping
     samba-bgqd
     smbldap-useradd
     smbldap-useradd///etc/init.d/nscd
     snap.git-ubuntu.git-ubuntu
     snap.git-ubuntu.import-source-packages
     snap.git-ubuntu.man
     snap.git-ubuntu.merge-changelogs
     snap.git-ubuntu.reconstruct-changelog
     snap.git-ubuntu.self-test
     snap.git-ubuntu.source-package-walker
     snap.git-ubuntu.update-repository-alias
     syslog-ng

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-09-09 Thread Andreas Hasenack

** Description changed:

  [Impact]
  
- Path to samba-bgqd is wrong on 22.04.
- Changing from /usr/lib*/samba/samba-bgqd into 
/usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures.
- The @{multiarch} was initialized at the code before.
- Before fixing it might confuse users with ambiguity.
- This was later changed by moving the binary, but for an SRU let us just adapt 
the path in apparmor.
+ Users who have:
+ a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
+ b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce 
mode; 
  
+ will experience an error in starting the smbd service in jammy:
  
- Obviously, the bug doesn’t affect users by default, because the samba profiles
- are only installed and activated if you install the apparmor-profiles package 
and moreover it has to be in enforce mode to affect users. The profile is 
applied in complain mode by default.
- After all these conditions are met, then the impact is that the samba 
services will fail to start.
+ [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
+   exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
- The next thing which occurred was the problem with ‘k’ flag which was
- needed in for the *.tdb files within /etc/apparmor.d/abstractions/samba.
+ This "printing subsystem" is actually a new daemon called samba-bgqd.
+ This errors prevents "smbd" from starting.
+ 
+ The reason it failed to start is that this binary is installed on a
+ different path than what is allowed in the samba apparmor profiles, and
+ as a result its execution is denied.
+ 
+ The chosen fix for this is to change the path of samba-bgqd in the samba
+ apparmor profiles to match where it is actually being installed in the
+ jammy packaging. Changing the actual path in the samba packaging would
+ be a more invasive fix.
+ 
+ In kinetic and later, the installation path of samba-bgqd was changed
+ instead, and requires no changes to the apparmor profiles.
+ 
+ However, once the path in the apparmor profiles was fixed for jammy,
+ another error comes up which also requires an apparmor change. samba-
+ bgqd is using locking when opening the *.tdb files in /run/samba, and
+ that requires an extra "k" flag to apparmor rules that cover that
+ directory and its tdb files.
+ 
+ This bug doesn't affect jammy samba users by default, as they have to
+ complete steps (a) and (b) from above to be impacted. Therefore, on its
+ own, this bug does not warrant an SRU, and we are using the block-
+ proposed-jammy tag to prevent its release until such time when another
+ more SRU-worthy apparmor bug is fixed for Jammy.
  
  
  [Test Plan]
  
  ** Reproduction **
  
  Make a container for testing:
  
- 
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
- 
  
  1.First of all, install apparmor-profiles, apparmor-utils and samba.
  $ apt install apparmor-profiles apparmor-utils samba
  
  2.Perform proper command to display current running processes. (e.g. ps 
fauxZ).
  $ ps fauxZ
  
  nmbd (complain) root2129  0.0  0.0  68720 10628 ? 
   Ss   16:43   0:00 /usr/sbin/nmbd --foreground --no-process-group
  smbd (complain) root2141  0.0  0.1  84840 16264 ? 
   Ss   16:43   0:00 /usr/sbin/smbd --foreground --no-process-group
  smbd (complain) root2143  0.0  0.0  82360  8544 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
  smbd (complain) root2144  0.0  0.0  82352  6820 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
  
- 
  3.At the end of the output, you should be able to see smbd(complain) in
  the left column.
  
- 
  4.Then check the dmesg output.
- 
  
  $ dmesg -T
  
  [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): 
apparmor="ALLOWED" operation="exec" 
namespace="root//lxd-jammy-apparmor-testMMilion1_" 
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 
comm="smbd" requested_mask="x" denied_mask="x" fsuid=100 ouid=100
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95):

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-09-09 Thread Andreas Hasenack

Removing the samba task as there is nothing to do there for jammy.

** No longer affects: samba (Ubuntu Jammy)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  In Progress

Bug description:
  [Impact]

  Path to samba-bgqd is wrong on 22.04.
  Changing from /usr/lib*/samba/samba-bgqd into 
/usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures.
  The @{multiarch} was initialized at the code before.
  Before fixing it might confuse users with ambiguity.
  This was later changed by moving the binary, but for an SRU let us just adapt 
the path in apparmor.

  
  Obviously, the bug doesn’t affect users by default, because the samba profiles
  are only installed and activated if you install the apparmor-profiles package 
and moreover it has to be in enforce mode to affect users. The profile is 
applied in complain mode by default.
  After all these conditions are met, then the impact is that the samba 
services will fail to start.

  The next thing which occurred was the problem with ‘k’ flag which was
  needed in for the *.tdb files within
  /etc/apparmor.d/abstractions/samba.


  [Test Plan]

  ** Reproduction **

  Make a container for testing:

  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test

  
  1.First of all, install apparmor-profiles, apparmor-utils and samba.
  $ apt install apparmor-profiles apparmor-utils samba

  2.Perform proper command to display current running processes. (e.g. ps 
fauxZ).
  $ ps fauxZ

  nmbd (complain) root2129  0.0  0.0  68720 10628 ? 
   Ss   16:43   0:00 /usr/sbin/nmbd --foreground --no-process-group
  smbd (complain) root2141  0.0  0.1  84840 16264 ? 
   Ss   16:43   0:00 /usr/sbin/smbd --foreground --no-process-group
  smbd (complain) root2143  0.0  0.0  82360  8544 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
  smbd (complain) root2144  0.0  0.0  82352  6820 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group


  3.At the end of the output, you should be able to see smbd(complain)
  in the left column.

  
  4.Then check the dmesg output.

  
  $ dmesg -T

  [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): 
apparmor="ALLOWED" operation="exec" 
namespace="root//lxd-jammy-apparmor-testMMilion1_" 
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 
comm="smbd" requested_mask="x" denied_mask="x" fsuid=100 ouid=100
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
  [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0

  
  5.At the end of the output, you will notice profile=”samba-bgqd” 
apparmor=”ALLOWED”

  
  6.Later, check the apparmor status using the aa-status command.

  $ aa-status

  24 profiles are in complain mode.
 avahi-daemon
 dnsmasq
 dnsmasq//libvirt_leaseshelper
 identd
 klogd
 mdnsd
 nmbd
 nscd
 php-fpm
 ping
 samba-bgqd
 smbldap-useradd
 smbldap-useradd///etc/init.d/nscd
 snap.git-ubuntu.git-ubuntu
 snap.git-ubuntu.import-source-packages
 snap.git-ubuntu.man
 snap.git-ubuntu.merge-changelogs
 snap.git-ubuntu.reconstruct-changelog
 snap.git-ubuntu.self-test
 snap.git-ubuntu.source-package-walker
 snap.git-ubuntu.update-repository-alias
 syslog-ng
 syslogd
 traceroute

  You will notice that samba-bgqd is still in complain mode.


  7.Type in aa-enforce /etc/apparmor.d/samba-bgqd
  /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.

  Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.

  Now when you display current running processes,

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-09-09 Thread Michał Małoszewski

** Description changed:

+ [Impact]
+ 
+ Path to samba-bgqd is wrong on 22.04.
+ Changing from /usr/lib*/samba/samba-bgqd into 
/usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures.
+ The @{multiarch} was initialized at the code before.
+ Before fixing it might confuse users with ambiguity.
+ This was later changed by moving the binary, but for an SRU let us just adapt 
the path in apparmor.
+ 
+ 
+ Obviously, the bug doesn’t affect users by default, because the samba profiles
+ are only installed and activated if you install the apparmor-profiles package 
and moreover it has to be in enforce mode to affect users. The profile is 
applied in complain mode by default.
+ After all these conditions are met, then the impact is that the samba 
services will fail to start.
+ 
+ The next thing which occurred was the problem with ‘k’ flag which was
+ needed in for the *.tdb files within /etc/apparmor.d/abstractions/samba.
+ 
+ 
+ [Test Plan]
+ 
+ ** Reproduction **
+ 
+ Make a container for testing:
+ 
+ 
+ $ lxc launch ubuntu-daily:jammy jammy-test
+ $ lxc shell jammy-test
+ 
+ 
+ 1.First of all, install apparmor-profiles, apparmor-utils and samba.
+ $ apt install apparmor-profiles apparmor-utils samba
+ 
+ 2.Perform proper command to display current running processes. (e.g. ps 
fauxZ).
+ $ ps fauxZ
+ 
+ nmbd (complain) root2129  0.0  0.0  68720 10628 ? 
   Ss   16:43   0:00 /usr/sbin/nmbd --foreground --no-process-group
+ smbd (complain) root2141  0.0  0.1  84840 16264 ? 
   Ss   16:43   0:00 /usr/sbin/smbd --foreground --no-process-group
+ smbd (complain) root2143  0.0  0.0  82360  8544 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
+ smbd (complain) root2144  0.0  0.0  82352  6820 ? 
   S16:43   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
+ 
+ 
+ 3.At the end of the output, you should be able to see smbd(complain) in
+ the left column.
+ 
+ 
+ 4.Then check the dmesg output.
+ 
+ 
+ $ dmesg -T
+ 
+ [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): 
apparmor="ALLOWED" operation="exec" 
namespace="root//lxd-jammy-apparmor-testMMilion1_" 
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 
comm="smbd" requested_mask="x" denied_mask="x" fsuid=100 ouid=100
+ [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
+ [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
+ [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
+ [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
+ 
+ 
+ 5.At the end of the output, you will notice profile=”samba-bgqd” 
apparmor=”ALLOWED”
+ 
+ 
+ 6.Later, check the apparmor status using the aa-status command.
+ 
+ $ aa-status
+ 
+ 24 profiles are in complain mode.
+avahi-daemon
+dnsmasq
+dnsmasq//libvirt_leaseshelper
+identd
+klogd
+mdnsd
+nmbd
+nscd
+php-fpm
+ping
+samba-bgqd
+smbldap-useradd
+smbldap-useradd///etc/init.d/nscd
+snap.git-ubuntu.git-ubuntu
+snap.git-ubuntu.import-source-packages
+snap.git-ubuntu.man
+snap.git-ubuntu.merge-changelogs
+snap.git-ubuntu.reconstruct-changelog
+snap.git-ubuntu.self-test
+snap.git-ubuntu.source-package-walker
+snap.git-ubuntu.update-repository-alias
+syslog-ng
+syslogd
+traceroute
+ 
+ You will notice that samba-bgqd is still in complain mode.
+ 
+ 
+ 7.Type in aa-enforce /etc/apparmor.d/samba-bgqd
+ /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
+ 
+ Setting /etc/apparmor.d/samba-bgqd to enforce mode.
+ Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
+ 
+ Now when you display current running processes, you will see that smbd
+ is enforced.
+ 
+ $ ps fauxZ
+ 
+ smbd (enforce)  root2281  0.0  0.1  84840 16416 ? 
   Ss   14:50   0:00 /usr/sbin/smbd --foreground --no-process-group
+ smbd (enforce)  root2283  0.0  0.0  82360  8476 ? 
   S14:50   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
+ smbd (enforce)  root2284  0.0  0.0  82352  6748 ? 
   S14:50   0:00  \_

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-30 Thread Michał Małoszewski

Updated bug description with:

Moreover, the dmesg output failed and it has showed that the 'k' flag is
required for the *.tdb files within /etc/apparmor.d/abstractions/samba.

It is required to close that bug in professional way, because the flag
is also affected by samba-bgqd.

** Description changed:

  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
  
  Fix was backported, but the path to samba-bgqd is wrong on 22.04.
  
  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd
  
  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
  
  Moreover, the dmesg output failed and it has showed that the 'k' flag is
- required in the *.tdb files.
+ required for the *.tdb files within /etc/apparmor.d/abstractions/samba.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  In Progress
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

  Moreover, the dmesg output failed and it has showed that the 'k' flag
  is required for the *.tdb files within
  /etc/apparmor.d/abstractions/samba.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-30 Thread Michał Małoszewski

** Description changed:

  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
  
  Fix was backported, but the path to samba-bgqd is wrong on 22.04.
  
  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd
  
  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
+ 
+ Moreover, the dmesg output failed and it has showed that the 'k' flag is
+ required in the *.tdb files.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  In Progress
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

  Moreover, the dmesg output failed and it has showed that the 'k' flag
  is required for the *.tdb files within
  /etc/apparmor.d/abstractions/samba.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-17 Thread Michał Małoszewski

Waiting for a review of MP

** Changed in: apparmor (Ubuntu Jammy)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  In Progress
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-05 Thread Launchpad Bug Tracker

** Merge proposal linked:
   
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/apparmor/+git/apparmor/+merge/427973

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-03 Thread Robie Basak

>From an SRU perspective bug 1703821 is similar to this, except for
dovecot in Bionic. In both cases, a workaround is trivially available
since a user can safely modify the profile directly in /etc.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-01 Thread Andreas Hasenack

Hm, I see, it's obviously not just samba-bgqd. Hmm...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-01 Thread Paride Legovini

I see your point, and I find the one about "fixing it the Kinetic way"
especially convincing, it may save us headaches in the future, and may
help with backports. My concern is that other packages or scripts users
wrote and tested on Jammy systems refer to the "wrong" path
(/usr/lib/x86_64-linux-gnu/...). If we want to fix samba I think this is
the commit to cherry-pick

https://salsa.debian.org/samba-
team/samba/-/commit/3e8438ca59263aee8a2599b47a0dccf2d395e1f4

Note that speaking of binaries the commit message says

  Some of them are callable from other packages, and some
  others are specified in config files.

and that's what I'm a bit worried about. OTOH there may be packages in
Ubuntu that got merged from Debian and that already refer to the "right"
(libexec/...) path. So I think that to make fixing samba definitely
safer/better than fixing apparmor we should

 - Check which binaries are affected by the path change
 - Check how they're meant to be user facing
 - Check if and how other packages are calling them.
   https://codesearch.debian.net/ may help here.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-01 Thread Andreas Hasenack

The other argument I have against fixing this in apparmor, is that this
fix is for jammy only. It's not present in kinetic. But the samba fix
(correct path for that binary) is in jammy.

Then the question boils down to which update will cause the less amount
of disruption for users...

a) apparmor: apparmor restart (reload all profiles), even for users who are not 
using samba services
b) samba: if only the libs are installed, maybe needrestart will ask for some 
restarts? If daemons are installed, then the usual samba restart, even for 
users who are not using the apparmor profile.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-01 Thread Andreas Hasenack

That being said, it's also likely that all desktop users have some samba
library installed :/

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-01 Thread Andreas Hasenack

Initially I was also in favor of changing the apparmor profile instead
of the samba packaging, but after I saw Michał's MP (with this
approach), I'm kind of changing my mind, and here is my reasoning:

With the change to apparmor, all ubuntu users, regardless if they use
samba or not, will get the update. All of them, because even though the
change is in the bin:apparmor-profiles pacakge, it comes from
src:apparmor, which builds many other apparmor binary packages and some
of them are installed by default in ubuntu.

If instead we made the change in the samba packaging, fixing the binary
path, then only samba users would get the update. We can still argue
whether it's worth an sru, but at least we could stage the update so it
goes out with other more important samba updates.

Paride, what do you think?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-08-01 Thread Launchpad Bug Tracker

** Merge proposal linked:
   
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/apparmor/+git/apparmor/+merge/427682

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-07-27 Thread Michał Małoszewski

I am about to create a branch of it and send the MP.
I have simply used grep to check where /usr/lib*/samba/samba-bgqd occurs when I 
did checkout to the ubuntu/jammy and I've seen that these files where it occurs 
are in apparmor profile. I have changed apparmor profile to adapt it to the 
actual location of the file in jammy. At the end samba-bgqd is in 
/usr/lib/x86_64-linux-gnu/samba/samba-bgqd.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

2022-07-20 Thread Michał Małoszewski

** Changed in: apparmor (Ubuntu)
 Assignee: (unassigned) => Michał Małoszewski (michal-maloszewski99)

** Changed in: apparmor (Ubuntu Jammy)
 Assignee: (unassigned) => Michał Małoszewski (michal-maloszewski99)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  Triaged
Status in samba source package in Jammy:
  Triaged

Bug description:
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Touch-packages] [Bug 1979879] Re: Apparmor profile in 22.04 jammy - fails to start when printing enabled

27 matches

Site Navigation

Mail list logo

Footer information