[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

Wed, 23 Nov 2022 07:10:58 -0800 

** Also affects: apparmor (Ubuntu Kinetic)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Kinetic:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000
  ouid=1000000

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to