|
Bugzilla – Full Text Bug Listing |
| Summary: | [Build 20240531] samba 4.20.1 gives DENIED in audit.log | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Dominique Leuenberger <dimstar> |
| Component: | AppArmor | Assignee: | Christian Boltz <suse-beta> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | nopower, samba-maintainers, suse-beta |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://openqa.opensuse.org/tests/4242034/modules/usr_sbin_smbd/steps/104 | ||
| Whiteboard: | |||
| Found By: | openQA | Services Priority: | |
| Business Priority: | Blocker: | Yes | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
patchj to squash apparmor errors
version of patch with modifications also to the samba-rpcd profile |
||
|
Description
Dominique Leuenberger
2024-06-03 08:44:49 UTC
rpcd_witness seems to be new, I never heard of it before.
The obvious solution is to add an exec rule like
/usr/lib64/samba/rpcd_witness Px,
but this is only half of the story because the profile for rpcd_witness also needs to be created.
Noel, you are more familiar with Samba than I am. Can you provide the audit.log lines for rpcd_witness, or even a working profile?
(In reply to Christian Boltz from comment #1) > rpcd_witness seems to be new, I never heard of it before. > > The obvious solution is to add an exec rule like > /usr/lib64/samba/rpcd_witness Px, > but this is only half of the story because the profile for rpcd_witness also > needs to be created. > > Noel, you are more familiar with Samba than I am. Can you provide the > audit.log lines for rpcd_witness, or even a working profile? it has taken me a while to get rpcd_witness up and working such that I could test it (I also am not familiar with this area) I am preparing the information now (I already got some mods to squash the errors) but now I am putting things back so I can record the audit.log errors etc. I will upload an audit.log and suggested changes to fix here in a while Created attachment 875353 [details]
patchj to squash apparmor errors
(In reply to Noel Power from comment #3) > Created attachment 875353 [details] > patchj to squash apparmor errors the only log entry I got was similar to the one already mentioned in comment #0 grep witness apparmor-witness/audit.log type=AVC msg=audit(1717665586.168:324): apparmor="DENIED" operation="exec" class="file" profile="samba-dcerpcd" name="/usr/lib64/samba/rpcd_witness" pid=8516 comm="samba-dcerpcd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 and I invoked all of the rpc methods the new rpcd_witness service provides (with no extra DENIES observed) I *think* the change attached is all that is required (there didn't seem to be any need to add 'witness' to any of the existing entries in the 'common' samba-rpcd profile) but maybe for completeness we should ? I did have changes here but on the second run (after a reboot) I didn't seem to need them (but that might be some cache issue) I will attach the full set of modifications here also Created attachment 875354 [details]
version of patch with modifications also to the samba-rpcd profile
Your patch from comment 5 looks good :-) I submitted it upstream as https://gitlab.com/apparmor/apparmor/-/merge_requests/1256 (In reply to Christian Boltz from comment #6) > Your patch from comment 5 looks good :-) > > I submitted it upstream as > https://gitlab.com/apparmor/apparmor/-/merge_requests/1256 do we need to make a submission here to factory? I can do that if it helps (In reply to Noel Power from comment #7) > do we need to make a submission here to factory? I can do that if it helps I won't stop you ;-) but upstream promised to release 4.0.2 in some days (and will hopefully merge the patch before), so unless getting this fixed is urgent, you can just wait a few days. (In reply to Christian Boltz from comment #8) > (In reply to Noel Power from comment #7) > > do we need to make a submission here to factory? I can do that if it helps > > I won't stop you ;-) but upstream promised to release 4.0.2 in some days > (and will hopefully merge the patch before), so unless getting this fixed is > urgent, you can just wait a few days. any news on this Christian, will the new release be happening soon or is it worth at this point to push the patch Unfortunately the upstream release was delayed because people are too busy, and it will take some more days until it gets released. I just submitted SR 1183251 which adds the patch. BTW: I'll be at the openSUSE Conference in the next days. If you are also there, I'd be happy to meet you ;-) This is an autogenerated message for OBS integration: This bug (1225811) was mentioned in https://build.opensuse.org/request/show/1183251 Factory / apparmor (In reply to Christian Boltz from comment #10) > Unfortunately the upstream release was delayed because people are too busy, > and it will take some more days until it gets released. > > I just submitted SR 1183251 which adds the patch. Thanks alot > > BTW: I'll be at the openSUSE Conference in the next days. If you are also > there, I'd be happy to meet you ;-) :-( unfortunately not going, but on the other hand I escape buying you some beers that I surely owe you :-P |