enterprise-support team mailing list archive

Thread
Date

[Bug 1719354] Re: apparmor blocking smbd which is in complain mode

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Andreas Hasenack <1719354@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Nov 2021 12:26:02 -0000
Reply-to: Bug 1719354 <1719354@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Since these samba profiles are experimental, not enabled by default, and
even when enabled by the user, are loaded in "complain" mode, I don't
think it's worth fixing for stable releases of Ubuntu.

Furthermore, they come from the src:apparmor package, not samba, and
that's a risky update for such a small reason. The risk to benefit ratio
is not in favor for this update.

For Jammy (current Ubuntu development release), I filed
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242 and I
will commit there most of the needed changes, leaving just the net_admin
one out.

Xenial is EOL, so nothing to be done there.

If you want to address this in Bionic yourself, I suggest this patch for /etc/apparmor.d/usr.sbin.smbd:
--- a/usr.sbin.smbd
+++ b/usr.sbin.smbd
@@ -49,6 +50,9 @@
   /{,var/}run/samba/smbd.pid rw,
   /{,var/}run/samba/msg.lock/ rw,
   /{,var/}run/samba/msg.lock/[0-9]* rwk,
+  # when started by systemd
+  /{,var/}run/systemd/notify w,
+
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,


** Changed in: samba (Ubuntu Xenial)
       Status: Triaged => Won't Fix

** Changed in: samba (Ubuntu Bionic)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1719354

Title:
  apparmor blocking smbd which is in complain mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1719354/+subscriptions