Bug 1088736 - apparmor denies net_admin capability to smb, nmb and winbindd
apparmor denies net_admin capability to smb, nmb and winbindd
Status: RESOLVED DUPLICATE of bug 991901
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Samba
Current
Other openSUSE Factory
: P5 - None : Normal (vote)
: ---
Assigned To: The 'Opening Windows to a Wider World' guys
The 'Opening Windows to a Wider World' guys
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-09 18:08 UTC by Andreas Joppich
Modified: 2018-05-08 14:48 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Joppich 2018-04-09 18:08:14 UTC
Hi there,
updated yesterday to the latest TW snapshot VERSION_ID="20180406", but this seems to be happening since 20180404, as somebody in factory mailing list writes.

After that smb, nmb and winbindd won't start, but instead throw errors. Looks, like apparmor denying some capability "net_admin".

There is some bug from 2016, https://bugzilla.opensuse.org/show_bug.cgi?id=991901 which sounds similar, but is in state new/needinfo since 2017.

alpha:~ # systemctl status smb
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2018-04-09 19:49:51 CEST; 22s ago
  Process: 6652 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE)
  Process: 6648 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile (code=exited, status=0/SUCCESS)
 Main PID: 6652 (code=exited, status=1/FAILURE)
   Status: "daemon failed to start: Failed to create session"
    Error: 1 (Die Operation ist nicht erlaubt)


AppArmor audit.log says:

type=AVC msg=audit(1523296191.449:596): apparmor="DENIED" operation="capable" profile="/usr/sbin/smbd" pid=6652 comm="smbd" capability=12  capname="net_admin"
type=AVC msg=audit(1523296254.959:597): apparmor="DENIED" operation="capable" profile="/usr/sbin/nmbd" pid=6667 comm="nmbd" capability=12  capname="net_admin"
type=AVC msg=audit(1523296296.570:598): apparmor="DENIED" operation="capable" profile="/usr/sbin/winbindd" pid=6737 comm="winbindd" capability=12  capname="net_admin"

Regards,
Andreas
Comment 1 Andreas Joppich 2018-04-09 19:36:21 UTC
Searched around a bit and found https://bugzilla.opensuse.org/show_bug.cgi?id=1088574#c5

Did as advised and everything works fine.

Nevertheless the apparmor DENIED messages still appear in audit.log
Comment 2 Samuel Cabrero 2018-05-08 14:48:31 UTC
Hi Andreas,

the samba daemons call libsystemd sd_notify to notify systemd they are up and ready. The sd_notify implementation calls setsockopt to set SO_SNDBUFFORCE which require the NET_ADMIN capability. This is already reported here:

https://bugzilla.suse.com/show_bug.cgi?id=991901

*** This bug has been marked as a duplicate of bug 991901 ***