From 3ae5be33e2a7bd93947e10d545a84d2cd9eb74de Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Wed, 9 May 2018 21:00:30 +0200
Subject: [PATCH] profiles: update samba profiles

- allow smbd to load new shared libraries
- allow winbindd to read and write new kerberos cache location

Based on a patch by "Samuel Cabrero" <scabrero@suse.com>

(cherry picked from commit 23b5f29b80582aacd23fb63c026cdf7c0dc21233)

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1092099

Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/121
---
 profiles/apparmor.d/usr.sbin.smbd     | 3 ++-
 profiles/apparmor.d/usr.sbin.winbindd | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd
index 6cc785534..9a3d658dd 100644
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -28,8 +28,9 @@
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
   /usr/lib*/samba/vfs/*.so mr,
+  /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
-  /usr/lib*/samba/auth/script.so mr,
+  /usr/lib*/samba/gensec/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
   /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
   /usr/sbin/smbd mr,
diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd
index 7788cb0d3..3dcab3c19 100644
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@@ -34,6 +34,7 @@
   /{var/,}run/samba/winbindd.pid rwk,
   /{var/,}run/samba/winbindd/ rw,
   /{var/,}run/samba/winbindd/pipe w,
+  /{var/,}run/user/*/krb5cc/* rwk,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.winbindd>