Bug 945563 - Samba 4.3.0 does not work because of AppArmor
Samba 4.3.0 does not work because of AppArmor
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Samba
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Christian Boltz
The 'Opening Windows to a Wider World' guys
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-11 22:23 UTC by Giuseppe Gorgoglione
Modified: 2015-09-20 12:45 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
audit.log (52.86 KB, application/zip)
2015-09-11 22:23 UTC, Giuseppe Gorgoglione
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Giuseppe Gorgoglione 2015-09-11 22:23:42 UTC
Created attachment 647048 [details]
audit.log

Tumbleweed Snapshot 20150909 introduced Samba 3.4.0.
After this update, Samba services nmbd and smbd do not start anymore because of now inadequate AppArmor permissions.

The following commands temporarily fix the issue:

> aa-complain /etc/apparmor.d/usr.sbin.smbd
> aa-complain /etc/apparmor.d/usr.sbin.nmbd
> systemctl resatart smbd.service
> systemctl resatart nmbd.service

In attachment you can find the audit.log file collected after enabling the aa-complain.
Comment 1 Lars Müller 2015-09-12 14:21:17 UTC
Thanks for the report!

Both profiles - /etc/apparmor.d/usr.sbin.{n,s}mbd - aren't part of the
Samba package.  They are shipped as part of the apparmor-profiles
package.  Therefore I'm passing this issue to Christian.
Comment 2 Christian Boltz 2015-09-12 15:12:09 UTC
Please edit /etc/apparmor.d/usr.sbin.smbd and /etc/apparmor.d/usr.sbin.nmbd and add the following lines to both of them (inside the { ...} section):

  /etc/samba/sock/ rw,
  /etc/samba/sock/* w,

That should cover all samba-related events in your audit.log.


Lars, does winbindd also need those permissions? (I wonder if I should add them to abstractions/samba instead of the individual profiles.)
Comment 3 Lars Müller 2015-09-12 20:14:39 UTC
(In reply to Christian Boltz from comment #2)
> Lars, does winbindd also need those permissions? (I wonder if I should add
> them to abstractions/samba instead of the individual profiles.)

winbindd suffers from the same issue.

As suggested in comment#2 I tested the abstractions/samba approach and
the three three services are working while all failed before.
Comment 4 Christian Boltz 2015-09-13 07:54:42 UTC
OK, so the final patch (which I just submitted upstream) is:

=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba      2015-05-18 23:25:26 +0000
+++ profiles/apparmor.d/abstractions/samba      2015-09-13 07:44:19 +0000
@@ -10,6 +10,8 @@
 # ------------------------------------------------------------------
 
   /etc/samba/* r,
+  /etc/samba/sock/ rw,
+  /etc/samba/sock/* w,
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,


Giuseppe: I forgot to mention that you need to run "rcapparmor reload" after manually editing a profile.
Comment 5 Giuseppe Gorgoglione 2015-09-13 14:05:27 UTC
I was late reading your first comment and applied directly the second fix to abstractions/samba. I confirm it works fine.

Thank you for your prompt support!
Comment 6 Christian Boltz 2015-09-13 20:32:21 UTC
You are welcome ;-)

I just commited an updated package to Factory (SR 330818).
Comment 7 Bernhard Wiedemann 2015-09-13 21:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (945563) was mentioned in
https://build.opensuse.org/request/show/330818 Factory / apparmor
Comment 8 Bernhard Wiedemann 2015-09-14 10:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (945563) was mentioned in
https://build.opensuse.org/request/show/330873 Factory / apparmor
Comment 9 Christian Boltz 2015-09-16 12:33:30 UTC
For the records - this bugreport is about Samba 4.3, not 3.4 ;-)

Also, as discussed on the AppArmor mailinglist, /etc/ is not really a good place for sockets. Therefore reopening and assigning back to Lars ;-)  (Please don't wait too long with getting a better path (/run/samba/ ?) - I'd hate to keep /etc/samba/sock/ in the profile, but removing it again is only a sane option if the paths are changed quickly ;-)
Comment 10 Lars Müller 2015-09-16 14:27:52 UTC
I'm sorry, but /etc/samba/sock/ has to be replaced by

  /var/lib/samba/private/sock

We found a quite old packaging bug in the SUSE Samba package which has
its roots ten years back.

On the SUSE Samba side this got fixed with build source timestamp 3481
which is on the way to openSUSE Factory with submit request 331521
https://build.opensuse.org/request/show/331521
Comment 11 Lars Müller 2015-09-16 14:51:08 UTC
Thanks for reopening and please (re)adjust the AppArmor package.
Comment 12 Christian Boltz 2015-09-16 15:56:34 UTC
(In reply to Lars Müller from comment #10)
> I'm sorry, but /etc/samba/sock/ has to be replaced by
> 
>   /var/lib/samba/private/sock

abstractions/samba already contains
  /var/lib/samba/** rwk,
so the only thing I need to do is to drop the patch that adds /etc/samba/sock/ ;-)

Since the patch didn't enter Factory yet (the SR was still pending), I just removed all traces of it (including the .changes entry) and sent a new SR.

> We found a quite old packaging bug in the SUSE Samba package which has
> its roots ten years back.

    -	--with-privatedir=%{CONFIGDIR}

Oh, nice ;-)
Comment 13 Christian Boltz 2015-09-16 15:57:02 UTC
.
Comment 14 Lars Müller 2015-09-20 12:45:21 UTC
https://lists.ubuntu.com/archives/apparmor/2015-September/008558.html
points to the thread at the AppArmor list.