mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 00:41:03 +01:00
444dbb4a23
nmbd needs some additional permissions: - k for /var/cache/samba/lck/* (via abstractions/samba) - rw for /var/cache/samba/msg/ (the log only mentioned r, but that directory needs to be created first) - w for /var/cache/samba/msg/* (the log didn't indicate any read access) Reported by FLD on IRC, audit log on https://paste.debian.net/902010/ Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
30 lines
800 B
Text
30 lines
800 B
Text
#include <tunables/global>
|
|
|
|
/usr/sbin/nmbd {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/samba>
|
|
|
|
capability net_bind_service,
|
|
|
|
@{PROC}/sys/kernel/core_pattern r,
|
|
|
|
/usr/sbin/nmbd mr,
|
|
|
|
/var/cache/samba/gencache.tdb rwk,
|
|
/var/{cache,lib}/samba/browse.dat* rw,
|
|
/var/{cache,lib}/samba/gencache.dat rw,
|
|
/var/{cache,lib}/samba/wins.dat* rw,
|
|
/var/{cache,lib}/samba/smb_krb5/ rw,
|
|
/var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
|
|
/var/{cache,lib}/samba/smb_tmp_krb5.* rw,
|
|
/var/{cache,lib}/samba/sync.* rw,
|
|
/var/{cache,lib}/samba/unexpected rw,
|
|
/var/cache/samba/msg/ rw,
|
|
/var/cache/samba/msg/* w,
|
|
|
|
/{,var/}run/samba/** rwk,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.sbin.nmbd>
|
|
}
|