Ubuntu
apparmor package

Intrepid apparmor profile for Samba breaks group mapping

Bug #294802 reported by Tessa
4
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: apparmor

This was discovered while working on #286080. The /etc/apparmor.d/usr.sbin.smbd config file from apparmor-profiles-2.3+1289-0ubuntu4 contains the line:

/var/lib/samba/** rk,

Which then blocks samba from valid group mapping operations, and results in the following error in the kernel logs:

Nov 6 00:21:35 mr-t kernel: [23514.474754] type=1502 audit(1225959695.171:1889): operation="inode_permission" requested_mask="rw::" denied_mask="w::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=17324 profile="/usr/sbin/smbd"

Line should be changed to rwk.

Revision history for this message
Sammy Spets (sammys) wrote :

Confirmed

Changed in apparmor:
status: New → Confirmed
Revision history for this message
Sammy Spets (sammys) wrote :

Also has another issue:

Nov 10 20:38:51 fff kernel: [ 2725.476762] type=1502 audit(1226309931.209:144): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/dbus/system_bus_socket" pid=13600 profile="/usr/sbin/smbd"

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. A fix for this has been committed to the apparmor bzr branch.

Changed in apparmor:
assignee: nobody → jdstrand
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu6

---------------
apparmor (2.3+1289-0ubuntu6) jaunty; urgency=low

  [ Kees Cook ]
  * abstractions/X: add DRI paths.
  * parser/Makefile: blacklist AF_PHONET.

  [ Jamie Strandboge ]
  * update usr.sbin.smbd profile to write to /var/lib/samba/** and
    read/write to /var/run/dbus/system_bus_socket (LP: #294802)
  * abstractions/freedesktop.org: use /usr/share/mime/**, @{HOME}/.icons/,
    and @{HOME}/.recently-used.xbel*
  * abstractions/gnome: add gvfs remote-volume-monitors paths and printing
    files

 -- Kees Cook <email address hidden> Mon, 22 Dec 2008 17:20:10 -0800

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.