From c09f58a364594607cdf5703d6e11aec14ade3ea8 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Wed, 28 Feb 2024 09:59:55 +0000
Subject: [PATCH] Fix some DENIES for smbd when honouring pam restrictions

with smbd.conf param 'obey pam restrictions = yes'

on tumbleweed we get some new DENIES (which can prevent login)

e.g.

type=AVC msg=audit(1709113104.674:533): apparmor="DENIED" operation="exec" class="file" profile="smbd" name="/usr/sbin/unix_chkpwd" pid=3509 comm="smbd[127.0.0.1]" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1709110904.602:345): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/usr/etc/security/limits.d/" pid=3746 comm="smbd[127.0.0.1]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1709110904.602:346): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/proc/3746/loginuid" pid=3746 comm="smbd[127.0.0.1]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1709110904.602:347): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/usr/etc/environment" pid=3746 comm="smbd[127.0.0.1]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1220032

Signed-off-by: Noel Power <noel.power@suse.com>
---
 profiles/apparmor.d/usr.sbin.smbd | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd
index 059f0e732..c171407e3 100644
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -33,6 +33,9 @@ profile smbd /usr/{bin,sbin}/smbd {
   /etc/samba/* rwk,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
+  /usr/etc/environment r,
+  /usr/etc/security/limits.d/ r,
+  /usr/etc/security/limits.d/*.conf  r,
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
@@ -47,6 +50,7 @@ profile smbd /usr/{bin,sbin}/smbd {
   /usr/share/samba/** r,
   /usr/{bin,sbin}/smbd mr,
   /usr/{bin,sbin}/smbldap-useradd Px,
+  /usr/sbin/unix_chkpwd Px,
   /var/cache/samba/** rwk,
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
   /var/lib/nscd/netgroup r,
@@ -59,6 +63,8 @@ profile smbd /usr/{bin,sbin}/smbd {
   @{run}/samba/ncalrpc/** rw,
   /var/spool/samba/** rw,
 
+  owner /proc/@{pid}/loginuid r,
+
   @{HOMEDIRS}/** lrwk,
   /var/lib/samba/usershares/{,**} lrwk,