Merge several fixes for samba-related profiles and the kerberos abstraction

See the individual commits for details. Signed-off-by: Noel Power <noel.power@suse.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/989 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>
2025-03-04 08:24:42 +01:00 · 2023-03-14 20:03:01 +00:00 · 2023-03-14 20:03:01 +00:00 · bba1a023bf
commit bba1a023bf
parent ff9bac7169 e5654f1f81
3 changed files with 8 additions and 1 deletions
--- a/profiles/apparmor.d/abstractions/kerberosclient
+++ b/profiles/apparmor.d/abstractions/kerberosclient
@ -22,6 +22,11 @@
  /usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
  /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,

+  /usr/lib{,32,64}/krb5/plugins/authdata/ r,
+  /usr/lib{,32,64}/krb5/plugins/authdata/* mr,
+  /usr/lib/@{multiarch}/krb5/plugins/authdata/ r,
+  /usr/lib/@{multiarch}/krb5/plugins/authdata/* mr,
+
  /etc/krb5.keytab            rk,
  /etc/krb5.conf              r,
  /etc/krb5.conf.d/           r,
--- a/profiles/apparmor.d/abstractions/samba
+++ b/profiles/apparmor.d/abstractions/samba
@ -23,7 +23,7 @@
  /var/lib/samba/** rwk,
  /var/log/samba/cores/ rw,
  /var/log/samba/cores/** rw,
-  /var/log/samba/* w,
+  /var/log/samba/* rw,
  @{run}/{,lock/}samba/ w,
  @{run}/{,lock/}samba/*.tdb rwk,
  @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@ -6,6 +6,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/samba>
+  include <abstractions/kerberosclient>

  deny capability block_suspend,

@ -29,6 +30,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
  /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
  /usr/{bin,sbin}/winbindd mr,
  /var/cache/krb5rcache/* rwk,
+  /var/lib/sss/pubconf/kdcinfo.* r,
  /var/log/samba/log.winbindd rw,
  @{run}/{samba/,}winbindd.pid rwk,
  @{run}/samba/winbindd/ rw,