Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 723316

Summary: net-fs/samba: unable to run with AppArmor (usr.sbin.smbd rule broken in default config)
Product: Gentoo Linux Reporter: Jesse Harris <zigford>
Component: Current packagesAssignee: Gentoo's SAMBA Team <samba>
Status: UNCONFIRMED ---    
Severity: normal CC: chn, jstein, onkobu, sam
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=684134
Whiteboard:
Package list:
Runtime testing required: ---

Description Jesse Harris 2020-05-16 05:46:07 UTC
When apparmor and profiles are enabled, smbd cannot start (At least on systemd).
If smbd is launched manually with debug level 3:

# /usr/sbin/smbd -i -d 3
tdb(/var/lock/samba/names.tdb): tdb_open_ex: failed to get open lock on /var/lock/samba/names.tdb: Permission denied


Reproducible: Always

Steps to Reproduce:
1.Install/enable apparmor in kernel
2.Install sec-policy/apparmor-profiles to enable default profiles
3.Enable and run smbd with it's default configuration
Actual Results:  
SMBD exists immediately.

Expected Results:  
SMBD runs fine.

The following patch allows it to work:


index f46e80e..accefb8 100644
--- a/usr.sbin.smbd
+++ b/usr.sbin.smbd
@@ -45,12 +45,12 @@ profile smbd /usr/{bin,sbin}/smbd {
   /var/lib/sss/pubconf/kdcinfo.* r,
   /{,var/}run/dbus/system_bus_socket rw,
   /{,var/}run/smbd.pid rwk,
-  /{,var/}run/samba/** rk,
-  /{,var/}run/samba/ncalrpc/ rw,
-  /{,var/}run/samba/ncalrpc/** rw,
-  /{,var/}run/samba/smbd.pid rw,
-  /{,var/}run/samba/msg.lock/ rw,
-  /{,var/}run/samba/msg.lock/[0-9]* rwk,
+  /{,var/}run/{,lock/}samba/** rk,
+  /{,var/}run/{,lock/}samba/ncalrpc/ rw,
+  /{,var/}run/{,lock/}samba/ncalrpc/** rw,
+  /{,var/}run/{,lock/}samba/smbd.pid rw,
+  /{,var/}run/{,lock/}samba/msg.lock/ rw,
+  /{,var/}run/{,lock/}samba/msg.lock/[0-9]* rwk,
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,
Comment 1 Paul G webster 2022-02-06 13:15:47 UTC
I made a temporary work around by with the following:

dev-11 /etc/apparmor.d/local # cat usr.sbin.smbd
# Site-specific additions and overrides for 'usr.sbin.smbd'
/var/lock/samba/** rwk,
/var/run/samba/** rwk

dev-11 /etc/apparmor.d/local # cat usr.sbin.nmbd
# Site-specific additions and overrides for 'usr.sbin.nmbd'
/var/lock/samba/** rwk,
/var/run/samba/** rwk
Comment 2 Ben Kohler gentoo-dev 2022-07-30 16:53:14 UTC
*** Bug 684134 has been marked as a duplicate of this bug. ***