[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: Re: [apparmor] [patch] update winbindd profile
From: John Johansen <john.johansen () canonical ! com>
Date: 2014-01-23 12:15:46
Message-ID: 52E107F2.3030303 () canonical ! com
[Download RAW message or body]
On 01/19/2014 08:03 AM, Christian Boltz wrote:
> Hello,
>
> this patch includes several updates for the winbindd profile that the
> openSUSE package collected over the last months.
>
> - add abstractions/samba to usr.sbin.winbindd profile
> (and cleanup things that are included in the abstraction - the cleanup
> part is not in the openSUSE package)
> - add capabilities ipc_lock and setuid to usr.sbin.winbindd profile
> (bnc#851131)
> - updates for samba 4.x and kerberos (bnc#846586#c12 and #c15,
> bnc#845867, bnc#846054)
> - drop always-outdated "Last Modified" comment
>
> References: see the bnc# above (they are bug numbers at
> bugzilla.novell.com)
>
>
It looks alright
Acked-by: John Johansen <john.johansen@canonical.com>
>
> === modified file 'profiles/apparmor.d/usr.sbin.winbindd'
> --- profiles/apparmor.d/usr.sbin.winbindd 2012-11-06 22:19:46
> +++ profiles/apparmor.d/usr.sbin.winbindd 2014-01-19 15:56:00
> @@ -1,33 +1,32 @@
> -# Last Modified: Mon Mar 26 20:28:18 2012
> #include <tunables/global>
>
> /usr/sbin/winbindd {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> -
> - /etc/samba/dhcp.conf r,
> + #include <abstractions/samba>
> +
> + deny capability block_suspend,
> +
> + capability ipc_lock,
> + capability setuid,
> +
> /etc/samba/passdb.tdb rwk,
> /etc/samba/secrets.tdb rwk,
> @{PROC}/sys/kernel/core_pattern r,
> /tmp/.winbindd/ w,
> + /tmp/krb5cc_* rwk,
> /usr/lib*/samba/idmap/*.so mr,
> /usr/lib*/samba/nss_info/*.so mr,
> + /usr/lib*/samba/pdb/*.so mr,
> /usr/sbin/winbindd mr,
> - /var/lib/samba/account_policy.tdb rwk,
> - /var/lib/samba/gencache.tdb rwk,
> - /var/lib/samba/gencache_notrans.tdb rwk,
> - /var/lib/samba/group_mapping.tdb rwk,
> - /var/lib/samba/messages.tdb rwk,
> - /var/lib/samba/netsamlogon_cache.tdb rwk,
> - /var/lib/samba/serverid.tdb rwk,
> - /var/lib/samba/winbindd_cache.tdb rwk,
> - /var/lib/samba/winbindd_privileged/pipe w,
> - /var/log/samba/cores/ rw,
> - /var/log/samba/cores/winbindd/ rw,
> - /var/log/samba/cores/winbindd/** rw,
> - /var/log/samba/log.wb-* w,
> + /var/cache/samba/*.tdb rwk,
> + /var/lib/samba/smb_krb5/krb5.conf.* rw,
> + /var/lib/samba/smb_tmp_krb5.* rw,
> + /var/lib/samba/winbindd_cache.tdb* rwk,
> /var/log/samba/log.winbindd rw,
> /{var/,}run/samba/winbindd.pid rwk,
> + /{var/,}run/samba/winbindd/ rw,
> + /{var/,}run/samba/winbindd/pipe w,
>
> # Site-specific additions and overrides. See local/README for
> details.
> #include <local/usr.sbin.winbindd>
>
>
>
>
>
> Regards,
>
> Christian Boltz
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic