Bug 1211981

Summary: [Build 20230602] usr_sbin_smbd: Nautilus fails to connect to smbd
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dominique Leuenberger <dimstar>
Component: AppArmorAssignee: Christian Boltz <suse-beta>
Status: RESOLVED WORKSFORME QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.opensuse.org/tests/3334537/modules/usr_sbin_smbd/steps/77
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---

Description Dominique Leuenberger 2023-06-04 04:45:03 UTC 
## Observation

Snapshot contains an update of apparmor which seems to trigger this.
On first look could not spot anything in the audit logs


openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor_profile@64bit fails in
[usr_sbin_smbd](https://openqa.opensuse.org/tests/3334537/modules/usr_sbin_smbd/steps/77)

## Test suite description
Maintained by QE Security


## Reproducible

Fails since (at least) Build [20230526](https://openqa.opensuse.org/tests/3319104)


## Expected result

Last good: [20230525](https://openqa.opensuse.org/tests/3318288) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=apparmor_profile&version=Tumbleweed)
Comment 1 Christian Boltz 2023-06-04 12:57:56 UTC 
Hmm, that's interesting[tm].

AppArmor 3.1.4 includes some profile updates (see below), but all these changes _add_ permissions. Also, the audit.log doesn't show any denials. This makes it quite unlikely that AppArmor is blocking something here.

Just wondering - were there any updates related to Samba or Nautilus in this snapshot? Or maybe a kernel update?



The profile changes that might influence samba were:

+++ apparmor-abstractions/etc/apparmor.d/abstractions/base
-  /usr/share/zoneinfo/           r,
-  /usr/share/zoneinfo/**         r,
+  /usr/share/zoneinfo{,-icu}/    r,
+  /usr/share/zoneinfo{,-icu}/**  r,
(= also allow "zzoneinfo-icu)

+++ apparmor-abstractions/etc/apparmor.d/abstractions/kerberosclient
+  /usr/lib{,32,64}/krb5/plugins/authdata/ r,
+  /usr/lib{,32,64}/krb5/plugins/authdata/* mr,
+  /usr/lib/@{multiarch}/krb5/plugins/authdata/ r,
+  /usr/lib/@{multiarch}/krb5/plugins/authdata/* mr,

+++ apparmor-abstractions/etc/apparmor.d/abstractions/samba  
-  /var/log/samba/* w,
+  /var/log/samba/* rw,

+++ apparmor-profiles/etc/apparmor.d/usr.sbin.winbindd
+  include <abstractions/kerberosclient>
+  /var/lib/sss/pubconf/kdcinfo.* r,
Comment 2 Dominique Leuenberger 2023-06-05 06:55:12 UTC 
(In reply to Christian Boltz from comment #1)
> Hmm, that's interesting[tm].
> 
> AppArmor 3.1.4 includes some profile updates (see below), but all these
> changes _add_ permissions. Also, the audit.log doesn't show any denials.
> This makes it quite unlikely that AppArmor is blocking something here.
> 
> Just wondering - were there any updates related to Samba or Nautilus in this
> snapshot? Or maybe a kernel update?

The nautilus update was 3 days before the error started, no samba or kernel update in the last two days.
Comment 3 Dominique Leuenberger 2023-06-05 07:55:29 UTC 
https://openqa.opensuse.org/tests/3336593#step/usr_sbin_smbd/76

test passed... seems to be a blue-moon-phenomen