Bug#928168: ntp: Wrong path in apparmor profile for samba

Mon, 06 May 2019 04:06:59 -0700 

Hai, 

Thank you all for the replies. 

As said, I dont use apparmor so yes, most below were assumptions, 
Thats why i've ask for verification, we (I) cant know everything. 

What i did was, i looked at Ubuntu's setting and Debian setting and added
both, 
so people on the samba list where helped and got there samba running.

And as you guys showed, the used setting thats overkill, so that is the part
i wanted to get fixed. 

Im running and testing on stretch, but not apparmor is installed on any of
my systemd and that also not going to happen. 

What i can say/confirm, (Debiqan 9).

rgrep samba /etc/apparmor.d/
/etc/apparmor.d/usr.sbin.ntpd:  # samba4 ntp signing socket
/etc/apparmor.d/usr.sbin.ntpd:  /{,var/}run/samba/ntp_signd/socket rw,

Now, Bernard showed also that the current setting is'nt correct/not working
as it should. 
Because the current path is wrong. 

So if i understand the apparmor setting, all we need is : 

So this is currently in Debian 9: (wrong path) 
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,

And base on your info shown, i can say we only need : 
# samba4 ntp signing socket
/var/lib/samba/ntp_signd/{,*} rw,

Or 
# samba4 ntp signing socket
/var/lib/samba/ntp_signd/       r,
/var/lib/samba/ntp_signd/socket rw,

Or 
# samba4 ntp signing socket
/var/lib/samba/ntp_signd/socket rw,

If the last gets passthrough the folder via the RW on the socket,
Then the last is the preffered. 

Lets say, the preffered one is offcourse the most secure one.
Last thing i noticed. 

( Thanks Bernard for this ) 
sun_path="/var/lib/samba/ntp_signd//socket"}, 110) = 0

How does apparmor, handle the // as shown. Is that ignored or seen as / 

Because if thats not handles by apparmor, i'll notify the samba devs. 
Yes, thats me too, but im not a coder. 

All other parts can be removed.  ( The winbind parts ) 
These are not used as its shown. 


> BTW: Do you use the samba profiles from upstream AppArmor?
> - If so,  please  contribute your additions upstream at 
>   https://gitlab.com/apparmor/apparmor/
> - If not - why? ;-)

I dont use it at all, and it even isnt installed in my setup. 
I setup with expert, only choose ssh-server at tasksel.
So a nice and very clean server, what i preffer. 

Best regards, 

Louis

Reply via email to