Tag profiles and abstractions with abi information.
Tagging abstractions is not strictly necessary but allows the parser
to detect when their is a mismatch and that policy will need an
update for abi.
We do not currently tag the tunables because variable declarations
are not currently affected by abi.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Winbind requires access to /var/cache/samba/msg.lock/*.
Move msg.lock/ to abstractions/samba.
On Arch Linux Winbind's pid is set to /run/winbindd.pid.
Signed-off-by: nl6720 <nl6720@gmail.com>
Also adjust the signal rules in the dovecot-common and apache2-common
abstractions to match the profile names, and to really do that
(peer=...{bin,sbin}... didn't work, the correct syntax would have been
peer=...\{bin,sbin\}...)
This fixes the regression introduced by !149 / commit
4200932d8f
- allow smbd to load new shared libraries
- allow winbindd to read and write new kerberos cache location
Based on a patch by "Samuel Cabrero" <scabrero@suse.com>
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1092099
The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.
As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
This is needed to delete kerberos ccache files, for details see
https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9.
Samba 4.2 needs some more permissions for nmbd and winbindd.
To avoid overcomplicated profiles, change abstractions/samba to allow
/var/lib/samba/** rwk, (instead of **.tdb rwk) - this change already
fixes the nmbd profile.
winbindd additionally needs some more write permissions in /etc/samba/
(and also in /var/lib/samba/, which is covered by the abstractions/samba
change and also results in some profile cleanup)
References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 and
https://bugzilla.opensuse.org/show_bug.cgi?id=923201
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- allow rw access to /var/cache/krb5rcache/*
- treat passdb.tdb.tmp as passdb.tdb
Patch from Lars Müller <lmuelle@suse.com>
References: https://bugzilla.novell.com/show_bug.cgi?id=870607
Acked-by: Steve Beattie <steve@nxnw.org>
(collected in the openSUSE package over the last months)
- add abstractions/samba to usr.sbin.winbindd profile
(and cleanup things that are included in the abstraction - the cleanup
part is not in the openSUSE package)
- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile
(bnc#851131)
- updates for samba 4.x and kerberos (bnc#846586#c12 and #c15,
bnc#845867, bnc#846054)
- drop always-outdated "Last Modified" comment
References: see the bnc# above (they are bug numbers at
bugzilla.novell.com)
Acked-by: John Johansen <john.johansen@canonical.com>
I added this profile to the openSUSE apparmor-profiles package in Feb 2012.
Until now I didn't receive any bugreports so I'd say it's complete ;-)
References: https://bugzilla.novell.com/show_bug.cgi?id=748499
Acked-By: jdstrand (on IRC)
