FS#76992 - [apparmor] Default profiles for samba do not work properly
Attached to Project:
Arch Linux
Opened by UrbenLegend (UrbenLegend) - Monday, 02 January 2023, 22:54 GMT
Last edited by David Runge (dvzrv) - Saturday, 02 September 2023, 14:44 GMT
Opened by UrbenLegend (UrbenLegend) - Monday, 02 January 2023, 22:54 GMT
Last edited by David Runge (dvzrv) - Saturday, 02 September 2023, 14:44 GMT
|
Details
Description:
The default apparmor profiles for Samba do not appear to be working properly, preventing clients from accessing Samba shares (I tested with usershares). Here are all the denial issues I encountered: 1. samba-dcerpcd complains about being denied access to /var/cache/samba/names.tdb. Workaround: Add "/var/cache/samba/** rwk," to: * /etc/apparmor.d/local/samba-dcerpcd * /etc/apparmor.d/local/samba-rpcd * /etc/apparmor.d/local/samba-rpcd-classic 2. After adding an exception for that, it then started to complain about not being able to access /run/samba-dcerpcd.pid Workaround: Add "@{run}/samba-dcerpcd.pid wk," to /etc/apparmor.d/local/samba-dcerpcd 3. There's also denials when Samba attempts to log to /var/log/samba/log.rpcd_classic. This happens whenever a share is browsed. I believe these 3 issues are bugs with the AppArmor profile. They should not happen out of the box with the default samba profiles IMHO. Doing the workarounds for the first 2 items seems to allow clients to connect. However, I ran into another issue where shares were not visible unless I added those directories as exceptions in: * /etc/apparmor.d/local/samba-rpcd-classic * /etc/apparmor.d/local/usr.sbin.smbd ArchWiki only mentions to add exceptions to the latter though, so I am confused whether I am doing this properly. Are we expected to now add exceptions in both these files instead of just one? Additional info: * apparmor 3.1.2-1, samba 4.17.4-2 |
This task depends upon
Closed by David Runge (dvzrv)
Saturday, 02 September 2023, 14:44 GMT
Reason for closing: Upstream
Additional comments about closing: Upstream needs to fix these issues in the default files.
Relevant upstream ticket: https://gitlab.com/apparmor/apparmor/-/i ssues/278
Saturday, 02 September 2023, 14:44 GMT
Reason for closing: Upstream
Additional comments about closing: Upstream needs to fix these issues in the default files.
Relevant upstream ticket: https://gitlab.com/apparmor/apparmor/-/i ssues/278
FS#74614samba-rpcd (0.1 KiB)
samba-rpcd-classic (0.3 KiB)
usr.sbin.smbd-shares (0.1 KiB)
I don't think there is anything on Arch Linux's side to be done here, as this is (AFAICT) not a packaging bug.
Upstream needs to fix these files. If you have fixes that work, please provide them as merge request to upstream! :)