[ISSUE] apparmor denying samba

[ISSUE] apparmor denying samba

[mustaqimM]

[-- Attachment #1: Type: text/plain, Size: 2236 bytes --]

New issue by mustaqimM on void-packages repository

https://github.com/void-linux/void-packages/issues/33335

Description:
<!-- Don't request update of package. We have a script for that. https://alpha.de.repo.voidlinux.org/void-updates/void-updates.txt . However, a quality pull request may help. -->
### System

* xuname:  
  `Void 5.13.19_1 x86_64 GenuineIntel uptodate rrFFFF`
* package:  
  `samba-4.14.7_1` `libapparmor-3.0.3_1 `

### Expected behavior
The samba service is run but a user is unable to connect to it because the necessary aren't set or misconfigured.
### Actual behavior
```bash
2021-10-04T17:36:41.68394 daemon.notice: Oct  4 19:36:41 smbd: directory_create_or_exist: mkdir failed on directory /run/lock/samba/msg.lock: Permission denied
2021-10-04T17:36:41.68430 kern.notice: [ 2298.919937] audit: type=1400 audit(1633369001.682:2245): apparmor="DENIED" operation="mkdir" profile="smbd" name="/run/lock/samba/msg.lock/" pid=7970 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
```
This is just the first error of the path not correctly set in `/etc/apparmor.d/abstractions/samba`

### Steps to reproduce the behavior
1. Enable `apparmor` in the kernel cmdline: `apparmor=1 security=apparmor`
2. Start the `smbd` service

The necessary rules to make it work:

```bash

/run/lock/samba/msg.lock/[0-9]* rwk,
/etc/samba/private/msg.sock/[0-9]* rwk,
/run/lock/samba/names.tdb rwk,
/etc/samba/private/secrets.tdb rwk,
/run/lock/samba/smbXsrv_version_global.tdb rwk,
/run/lock/samba/smbXsrv_client_global.tdb rwk,
/run/lock/samba/smbXsrv_session_global.tdb rwk,
/run/lock/samba/smbXsrv_tcon_global.tdb rwk,
/run/lock/samba/brlock.tdb rwk,
/run/lock/samba/locking.tdb rwk,
/run/lock/samba/leases.tdb rwk,
/run/lock/samba/gencache.tdb rwk,
/run/lock/samba/smbXsrv_open_global.tdb rwk,
/etc/samba/private/passdb.tdb rwk,
/run/lock/samba/smbd_cleanupd.tdb rwk,
```

This should probably be patched in `/etc/apparmor.d/abstractions/samba`. This is not entirely correct as only lock files should be marked with `k`. Some rules like the `msg.lock` folder in `abstractions/samba` point to `@{run}/samba/msg.lock/` when it's actually located at `/run/lock/samba/msg.lock`

Re: apparmor denying samba

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 334 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/33335#issuecomment-935485117

Comment:
The profile for smbd and samba abstraction are from upstream apparmor. Should probably work there first, then backport to our package. That way we can get their eyes on the policy change.

Re: apparmor denying samba

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 1836 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/33335#issuecomment-935516841

Comment:
@ahesford how would you feel about switching the samba private dir from /etc/samba/private to /var/lib/samba/private? Upside: more consistent with other distros, smbd does not write to /etc. Downside: I am not 100% sure whether the CLI client tools will still work with old versions of smbd. Users may need to restart the smbd service after an upgrade so that both the CLI clients and service are using the same private dir path.

```diff
diff --git a/srcpkgs/samba/template b/srcpkgs/samba/template
index 69ac97f71d..0755c79f6a 100644
--- a/srcpkgs/samba/template
+++ b/srcpkgs/samba/template
@@ -11,7 +11,7 @@ _auth_modules="auth_unix,auth_wbc,auth_server,auth_netlogind,autH_script,auth_sa
 configure_args="--enable-fhs --sbindir=/usr/bin
  --localstatedir=/var --sysconfdir=/etc --with-piddir=/run/samba
  --with-sockets-dir=/run/samba --with-lockdir=/run/lock/samba
- --with-privatedir=/etc/samba/private --with-pammodulesdir=/usr/lib/security
+ --with-pammodulesdir=/usr/lib/security
  --with-modulesdir=/usr/lib/samba --disable-rpath --disable-rpath-install
  --without-systemd --without-gettext --bundled-libraries=NONE
  --with-system-mitkrb5 --without-ad-dc --with-cluster-support
@@ -30,7 +30,7 @@ distfiles="http://download.samba.org/pub/samba/stable/${pkgname}-${version}.tar.
 checksum=6f50353f9602aa20245eb18ceb00e7e5ec793df0974aebd5254c38f16d8f1906
 lib32disabled=yes
 conf_files="/etc/pam.d/samba /etc/samba/smb.conf"
-make_dirs="/etc/samba/private 0750 root root"
+make_dirs="/var/lib/samba/private 0700 root root"
 subpackages="smbclient samba-ctdb samba-cups samba-devel samba-libs samba-python3"

 if [ "$XBPS_TARGET_LIBC" = "musl" ]; then
```

Re: apparmor denying samba

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 570 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/issues/33335#issuecomment-936310510

Comment:
I don't have a strong opinion about Samba and only use it to run a basic fileserver for Apple Time Machine backups. If moving the private directory to `/var/lib/samba/private` solves apparmors problems and doesnt break existing workflows, it's fine with me.

As far as needing to restart the server after upgrade, that's generally recommended anyway. I wouldn't worry too much about causing issues with the in-memory server.

Re: apparmor denying samba

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 569 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/issues/33335#issuecomment-936310510

Comment:
I don't have a strong opinion about Samba and only use it to run a basic fileserver for Apple Time Machine backups. If moving the private directory to `/var/lib/samba/private` solves apparmor problems and doesnt break existing workflows, it's fine with me.

As far as needing to restart the server after upgrade, that's generally recommended anyway. I wouldn't worry too much about causing issues with the in-memory server.

Re: apparmor denying samba

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 308 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/33335#issuecomment-1019661040

Comment:
per comment in #33436, cannot change the samba privdir. will need to change the AppArmor profiles. For now you can use a local override to workaround the issue.

Re: apparmor denying samba

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/issues/33335#issuecomment-1146964562

Comment:
Issues become stale 90 days after last activity and are closed 14 days after that.  If this issue is still relevant bump it or assign it.

Re: apparmor denying samba

[paper42]

[-- Attachment #1: Type: text/plain, Size: 175 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/issues/33335#issuecomment-1147330179

Comment:
fixed by @CameronNemo in #33436

Re: [ISSUE] [CLOSED] apparmor denying samba

[paper42]

[-- Attachment #1: Type: text/plain, Size: 2277 bytes --]

Closed issue by mustaqimM on void-packages repository

https://github.com/void-linux/void-packages/issues/33335

Description:
<!-- Don't request update of package. We have a script for that. https://alpha.de.repo.voidlinux.org/void-updates/void-updates.txt . However, a quality pull request may help. -->
### System

* xuname:  
  `Void 5.13.19_1 x86_64 GenuineIntel uptodate rrFFFF`
* package:  
  `samba-4.14.7_1` `libapparmor-3.0.3_1 `

### Expected behavior
The samba service is run but a user is unable to connect to it because the necessary rules aren't set or misconfigured.
### Actual behavior
```bash
2021-10-04T17:36:41.68394 daemon.notice: Oct  4 19:36:41 smbd: directory_create_or_exist: mkdir failed on directory /run/lock/samba/msg.lock: Permission denied
2021-10-04T17:36:41.68430 kern.notice: [ 2298.919937] audit: type=1400 audit(1633369001.682:2245): apparmor="DENIED" operation="mkdir" profile="smbd" name="/run/lock/samba/msg.lock/" pid=7970 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
```
This is just the first error of the path not correctly set in `/etc/apparmor.d/abstractions/samba`

### Steps to reproduce the behavior
1. Enable `apparmor` in the kernel cmdline: `apparmor=1 security=apparmor`
2. Start the `smbd` service

The necessary rules to make it work:

```bash

/run/lock/samba/msg.lock/ rwk,
/run/lock/samba/msg.lock/[0-9]* rwk,
/etc/samba/private/msg.sock/[0-9]* rwk,
/run/lock/samba/names.tdb rwk,
/etc/samba/private/secrets.tdb rwk,
/run/lock/samba/smbXsrv_version_global.tdb rwk,
/run/lock/samba/smbXsrv_client_global.tdb rwk,
/run/lock/samba/smbXsrv_session_global.tdb rwk,
/run/lock/samba/smbXsrv_tcon_global.tdb rwk,
/run/lock/samba/brlock.tdb rwk,
/run/lock/samba/locking.tdb rwk,
/run/lock/samba/leases.tdb rwk,
/run/lock/samba/gencache.tdb rwk,
/run/lock/samba/smbXsrv_open_global.tdb rwk,
/etc/samba/private/passdb.tdb rwk,
/run/lock/samba/smbd_cleanupd.tdb rwk,
```

This should probably be patched in `/etc/apparmor.d/abstractions/samba`. This is not entirely correct as only lock files should be marked with `k`. Some rules like the `msg.lock` folder in `abstractions/samba` point to `@{run}/samba/msg.lock/` when it's actually located at `/run/lock/samba/msg.lock`