group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1719354] Re: apparmor blocking smbd which is in complain mode

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Andreas Hasenack <1719354@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Nov 2021 12:26:02 -0000
Reply-to: Bug 1719354 <1719354@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Since these samba profiles are experimental, not enabled by default, and
even when enabled by the user, are loaded in "complain" mode, I don't
think it's worth fixing for stable releases of Ubuntu.

Furthermore, they come from the src:apparmor package, not samba, and
that's a risky update for such a small reason. The risk to benefit ratio
is not in favor for this update.

For Jammy (current Ubuntu development release), I filed
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242 and I
will commit there most of the needed changes, leaving just the net_admin
one out.

Xenial is EOL, so nothing to be done there.

If you want to address this in Bionic yourself, I suggest this patch for /etc/apparmor.d/usr.sbin.smbd:
--- a/usr.sbin.smbd
+++ b/usr.sbin.smbd
@@ -49,6 +50,9 @@
   /{,var/}run/samba/smbd.pid rw,
   /{,var/}run/samba/msg.lock/ rw,
   /{,var/}run/samba/msg.lock/[0-9]* rwk,
+  # when started by systemd
+  /{,var/}run/systemd/notify w,
+
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,


** Changed in: samba (Ubuntu Xenial)
       Status: Triaged => Won't Fix

** Changed in: samba (Ubuntu Bionic)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1719354

Title:
  apparmor blocking smbd which is in complain mode

Status in samba package in Ubuntu:
  Fix Released
Status in samba source package in Xenial:
  Won't Fix
Status in samba source package in Bionic:
  Won't Fix

Bug description:
  This error is occurring because samba is working in user profile and
  folder '/run/samba/msg.log' has owner as root. Any log created will be
  as root. Hence, samba not able to log anything.

  
  aravind@comp:~$ tail -f /var/log/syslog | grep -i apparmor
  Sep 25 21:25:36 comp kernel: [ 4535.034713] audit: type=1400 audit(1506354936.898:275): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4470" pid=5690 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  Sep 25 21:25:36 comp kernel: [ 4535.034719] audit: type=1400 audit(1506354936.898:276): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4470" pid=5690 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  Sep 25 21:27:39 comp kernel: [ 4657.984668] audit: type=1400 audit(1506355059.847:290): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
  Sep 25 21:27:39 comp kernel: [ 4657.984675] audit: type=1400 audit(1506355059.847:291): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
  Sep 25 21:27:39 comp kernel: [ 4657.984679] audit: type=1400 audit(1506355059.847:292): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  Sep 25 21:27:39 comp kernel: [ 4657.984684] audit: type=1400 audit(1506355059.847:293): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  Sep 25 21:27:39 comp kernel: [ 4657.991838] audit: type=1400 audit(1506355059.855:294): apparmor="ALLOWED" operation="unlink" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
  ^C

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: apparmor 2.10.95-0ubuntu2.7
  ProcVersionSignature: Ubuntu 4.10.0-35.39~16.04.1-generic 4.10.17
  Uname: Linux 4.10.0-35-generic x86_64
  NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
  ApportVersion: 2.20.1-0ubuntu2.10
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Mon Sep 25 21:27:07 2017
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.10.0-35-generic root=UUID=3bdb5792-d2a2-4f98-97bd-f274c3d0dde1 ro quiet splash crashkernel=384M-:128M vt.handoff=7
  SourcePackage: apparmor
  Syslog:
   Sep 25 10:34:40 comp dbus[1174]: [system] AppArmor D-Bus mediation is enabled
   Sep 25 18:34:05 comp dbus[1083]: [system] AppArmor D-Bus mediation is enabled
   Sep 25 20:10:24 comp dbus[1066]: [system] AppArmor D-Bus mediation is enabled
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1719354/+subscriptions