* Re: apparmor denying samba
2021-10-05 7:57 [ISSUE] apparmor denying samba mustaqimM
@ 2021-10-06 5:23 ` CameronNemo
2021-10-06 5:49 ` CameronNemo
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: CameronNemo @ 2021-10-06 5:23 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 334 bytes --]
New comment by CameronNemo on void-packages repository
https://github.com/void-linux/void-packages/issues/33335#issuecomment-935485117
Comment:
The profile for smbd and samba abstraction are from upstream apparmor. Should probably work there first, then backport to our package. That way we can get their eyes on the policy change.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: apparmor denying samba
2021-10-05 7:57 [ISSUE] apparmor denying samba mustaqimM
2021-10-06 5:23 ` CameronNemo
@ 2021-10-06 5:49 ` CameronNemo
2021-10-06 14:11 ` ahesford
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: CameronNemo @ 2021-10-06 5:49 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1836 bytes --]
New comment by CameronNemo on void-packages repository
https://github.com/void-linux/void-packages/issues/33335#issuecomment-935516841
Comment:
@ahesford how would you feel about switching the samba private dir from /etc/samba/private to /var/lib/samba/private? Upside: more consistent with other distros, smbd does not write to /etc. Downside: I am not 100% sure whether the CLI client tools will still work with old versions of smbd. Users may need to restart the smbd service after an upgrade so that both the CLI clients and service are using the same private dir path.
```diff
diff --git a/srcpkgs/samba/template b/srcpkgs/samba/template
index 69ac97f71d..0755c79f6a 100644
--- a/srcpkgs/samba/template
+++ b/srcpkgs/samba/template
@@ -11,7 +11,7 @@ _auth_modules="auth_unix,auth_wbc,auth_server,auth_netlogind,autH_script,auth_sa
configure_args="--enable-fhs --sbindir=/usr/bin
--localstatedir=/var --sysconfdir=/etc --with-piddir=/run/samba
--with-sockets-dir=/run/samba --with-lockdir=/run/lock/samba
- --with-privatedir=/etc/samba/private --with-pammodulesdir=/usr/lib/security
+ --with-pammodulesdir=/usr/lib/security
--with-modulesdir=/usr/lib/samba --disable-rpath --disable-rpath-install
--without-systemd --without-gettext --bundled-libraries=NONE
--with-system-mitkrb5 --without-ad-dc --with-cluster-support
@@ -30,7 +30,7 @@ distfiles="http://download.samba.org/pub/samba/stable/${pkgname}-${version}.tar.
checksum=6f50353f9602aa20245eb18ceb00e7e5ec793df0974aebd5254c38f16d8f1906
lib32disabled=yes
conf_files="/etc/pam.d/samba /etc/samba/smb.conf"
-make_dirs="/etc/samba/private 0750 root root"
+make_dirs="/var/lib/samba/private 0700 root root"
subpackages="smbclient samba-ctdb samba-cups samba-devel samba-libs samba-python3"
if [ "$XBPS_TARGET_LIBC" = "musl" ]; then
```
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: apparmor denying samba
2021-10-05 7:57 [ISSUE] apparmor denying samba mustaqimM
2021-10-06 5:23 ` CameronNemo
2021-10-06 5:49 ` CameronNemo
@ 2021-10-06 14:11 ` ahesford
2021-10-06 14:11 ` ahesford
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: ahesford @ 2021-10-06 14:11 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 570 bytes --]
New comment by ahesford on void-packages repository
https://github.com/void-linux/void-packages/issues/33335#issuecomment-936310510
Comment:
I don't have a strong opinion about Samba and only use it to run a basic fileserver for Apple Time Machine backups. If moving the private directory to `/var/lib/samba/private` solves apparmors problems and doesnt break existing workflows, it's fine with me.
As far as needing to restart the server after upgrade, that's generally recommended anyway. I wouldn't worry too much about causing issues with the in-memory server.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: apparmor denying samba
2021-10-05 7:57 [ISSUE] apparmor denying samba mustaqimM
` (2 preceding siblings ...)
2021-10-06 14:11 ` ahesford
@ 2021-10-06 14:11 ` ahesford
2022-01-24 2:41 ` CameronNemo
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: ahesford @ 2021-10-06 14:11 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 569 bytes --]
New comment by ahesford on void-packages repository
https://github.com/void-linux/void-packages/issues/33335#issuecomment-936310510
Comment:
I don't have a strong opinion about Samba and only use it to run a basic fileserver for Apple Time Machine backups. If moving the private directory to `/var/lib/samba/private` solves apparmor problems and doesnt break existing workflows, it's fine with me.
As far as needing to restart the server after upgrade, that's generally recommended anyway. I wouldn't worry too much about causing issues with the in-memory server.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: apparmor denying samba
2021-10-05 7:57 [ISSUE] apparmor denying samba mustaqimM
` (3 preceding siblings ...)
2021-10-06 14:11 ` ahesford
@ 2022-01-24 2:41 ` CameronNemo
2022-06-06 2:15 ` github-actions
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: CameronNemo @ 2022-01-24 2:41 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 308 bytes --]
New comment by CameronNemo on void-packages repository
https://github.com/void-linux/void-packages/issues/33335#issuecomment-1019661040
Comment:
per comment in #33436, cannot change the samba privdir. will need to change the AppArmor profiles. For now you can use a local override to workaround the issue.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: apparmor denying samba
2021-10-05 7:57 [ISSUE] apparmor denying samba mustaqimM
` (4 preceding siblings ...)
2022-01-24 2:41 ` CameronNemo
@ 2022-06-06 2:15 ` github-actions
2022-06-06 11:08 ` paper42
2022-06-06 11:09 ` [ISSUE] [CLOSED] " paper42
7 siblings, 0 replies; 9+ messages in thread
From: github-actions @ 2022-06-06 2:15 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 293 bytes --]
New comment by github-actions[bot] on void-packages repository
https://github.com/void-linux/void-packages/issues/33335#issuecomment-1146964562
Comment:
Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: apparmor denying samba
2021-10-05 7:57 [ISSUE] apparmor denying samba mustaqimM
` (5 preceding siblings ...)
2022-06-06 2:15 ` github-actions
@ 2022-06-06 11:08 ` paper42
2022-06-06 11:09 ` [ISSUE] [CLOSED] " paper42
7 siblings, 0 replies; 9+ messages in thread
From: paper42 @ 2022-06-06 11:08 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 175 bytes --]
New comment by paper42 on void-packages repository
https://github.com/void-linux/void-packages/issues/33335#issuecomment-1147330179
Comment:
fixed by @CameronNemo in #33436
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [ISSUE] [CLOSED] apparmor denying samba
2021-10-05 7:57 [ISSUE] apparmor denying samba mustaqimM
` (6 preceding siblings ...)
2022-06-06 11:08 ` paper42
@ 2022-06-06 11:09 ` paper42
7 siblings, 0 replies; 9+ messages in thread
From: paper42 @ 2022-06-06 11:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 2277 bytes --]
Closed issue by mustaqimM on void-packages repository
https://github.com/void-linux/void-packages/issues/33335
Description:
<!-- Don't request update of package. We have a script for that. https://alpha.de.repo.voidlinux.org/void-updates/void-updates.txt . However, a quality pull request may help. -->
### System
* xuname:
`Void 5.13.19_1 x86_64 GenuineIntel uptodate rrFFFF`
* package:
`samba-4.14.7_1` `libapparmor-3.0.3_1 `
### Expected behavior
The samba service is run but a user is unable to connect to it because the necessary rules aren't set or misconfigured.
### Actual behavior
```bash
2021-10-04T17:36:41.68394 daemon.notice: Oct 4 19:36:41 smbd: directory_create_or_exist: mkdir failed on directory /run/lock/samba/msg.lock: Permission denied
2021-10-04T17:36:41.68430 kern.notice: [ 2298.919937] audit: type=1400 audit(1633369001.682:2245): apparmor="DENIED" operation="mkdir" profile="smbd" name="/run/lock/samba/msg.lock/" pid=7970 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
```
This is just the first error of the path not correctly set in `/etc/apparmor.d/abstractions/samba`
### Steps to reproduce the behavior
1. Enable `apparmor` in the kernel cmdline: `apparmor=1 security=apparmor`
2. Start the `smbd` service
The necessary rules to make it work:
```bash
/run/lock/samba/msg.lock/ rwk,
/run/lock/samba/msg.lock/[0-9]* rwk,
/etc/samba/private/msg.sock/[0-9]* rwk,
/run/lock/samba/names.tdb rwk,
/etc/samba/private/secrets.tdb rwk,
/run/lock/samba/smbXsrv_version_global.tdb rwk,
/run/lock/samba/smbXsrv_client_global.tdb rwk,
/run/lock/samba/smbXsrv_session_global.tdb rwk,
/run/lock/samba/smbXsrv_tcon_global.tdb rwk,
/run/lock/samba/brlock.tdb rwk,
/run/lock/samba/locking.tdb rwk,
/run/lock/samba/leases.tdb rwk,
/run/lock/samba/gencache.tdb rwk,
/run/lock/samba/smbXsrv_open_global.tdb rwk,
/etc/samba/private/passdb.tdb rwk,
/run/lock/samba/smbd_cleanupd.tdb rwk,
```
This should probably be patched in `/etc/apparmor.d/abstractions/samba`. This is not entirely correct as only lock files should be marked with `k`. Some rules like the `msg.lock` folder in `abstractions/samba` point to `@{run}/samba/msg.lock/` when it's actually located at `/run/lock/samba/msg.lock`
^ permalink raw reply [flat|nested] 9+ messages in thread