From: mustaqimM <mustaqimM@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: [ISSUE] apparmor denying samba
Date: Tue, 05 Oct 2021 09:57:16 +0200 [thread overview]
Message-ID: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-33335@inbox.vuxu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2236 bytes --]
New issue by mustaqimM on void-packages repository
https://github.com/void-linux/void-packages/issues/33335
Description:
<!-- Don't request update of package. We have a script for that. https://alpha.de.repo.voidlinux.org/void-updates/void-updates.txt . However, a quality pull request may help. -->
### System
* xuname:
`Void 5.13.19_1 x86_64 GenuineIntel uptodate rrFFFF`
* package:
`samba-4.14.7_1` `libapparmor-3.0.3_1 `
### Expected behavior
The samba service is run but a user is unable to connect to it because the necessary aren't set or misconfigured.
### Actual behavior
```bash
2021-10-04T17:36:41.68394 daemon.notice: Oct 4 19:36:41 smbd: directory_create_or_exist: mkdir failed on directory /run/lock/samba/msg.lock: Permission denied
2021-10-04T17:36:41.68430 kern.notice: [ 2298.919937] audit: type=1400 audit(1633369001.682:2245): apparmor="DENIED" operation="mkdir" profile="smbd" name="/run/lock/samba/msg.lock/" pid=7970 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
```
This is just the first error of the path not correctly set in `/etc/apparmor.d/abstractions/samba`
### Steps to reproduce the behavior
1. Enable `apparmor` in the kernel cmdline: `apparmor=1 security=apparmor`
2. Start the `smbd` service
The necessary rules to make it work:
```bash
/run/lock/samba/msg.lock/[0-9]* rwk,
/etc/samba/private/msg.sock/[0-9]* rwk,
/run/lock/samba/names.tdb rwk,
/etc/samba/private/secrets.tdb rwk,
/run/lock/samba/smbXsrv_version_global.tdb rwk,
/run/lock/samba/smbXsrv_client_global.tdb rwk,
/run/lock/samba/smbXsrv_session_global.tdb rwk,
/run/lock/samba/smbXsrv_tcon_global.tdb rwk,
/run/lock/samba/brlock.tdb rwk,
/run/lock/samba/locking.tdb rwk,
/run/lock/samba/leases.tdb rwk,
/run/lock/samba/gencache.tdb rwk,
/run/lock/samba/smbXsrv_open_global.tdb rwk,
/etc/samba/private/passdb.tdb rwk,
/run/lock/samba/smbd_cleanupd.tdb rwk,
```
This should probably be patched in `/etc/apparmor.d/abstractions/samba`. This is not entirely correct as only lock files should be marked with `k`. Some rules like the `msg.lock` folder in `abstractions/samba` point to `@{run}/samba/msg.lock/` when it's actually located at `/run/lock/samba/msg.lock`
next reply other threads:[~2021-10-05 7:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-05 7:57 mustaqimM [this message]
2021-10-06 5:23 ` CameronNemo
2021-10-06 5:49 ` CameronNemo
2021-10-06 14:11 ` ahesford
2021-10-06 14:11 ` ahesford
2022-01-24 2:41 ` CameronNemo
2022-06-06 2:15 ` github-actions
2022-06-06 11:08 ` paper42
2022-06-06 11:09 ` [ISSUE] [CLOSED] " paper42
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-33335@inbox.vuxu.org \
--to=mustaqimm@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).