Accepting request 113963 from security:apparmor

- replace patch for dnsmasq profile with upstream patch (bnc#738905) - add apparmor-r2022-log-parser-network-bnc755923.patch - logprof didn't create network rules because of changed log format (bnc#755923, lp#800826) - add profile for samba winbindd (bnc#748499) - fix dnsmasq profile (bnc#738905) - add 0001-fix-for-lp929531.patch to allow reading /sys/devices/system/cpu/online in abstractions/base (lp#929531) OBS-URL: https://build.opensuse.org/request/show/113963 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=33
2012-04-17 05:43:31 +00:00 · 2012-04-17 05:43:31 +00:00 · 2550ecdff9
commit 2550ecdff9
parent c958d9cad3
6 changed files with 431 additions and 10 deletions
--- a/0001-fix-for-lp929531.patch
+++ b/0001-fix-for-lp929531.patch
@ -0,0 +1,19 @@
+Author: Jamie Strandboge <jamie@canonical.com>
+Description: glibc's __get_nprocs() now checks /sys/devices/system/cpu/online
+ in addition to /proc/stat for the number of processors. This is used in the
+ _SC_NPROCESSORS_ONLN implementation, a part of sysconf. This was introduced in
+ upstream glibc commit:
+ http://repo.or.cz/w/glibc.git/patch/84e2a551a72c79b020694bb327e33b6d71b09b63
+Bug-Ubuntu: https://launchpad.net/bugs/929531
+Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/base
+===================================================================
+--- apparmor-2.7.0.orig/profiles/apparmor.d/abstractions/base	2012-02-09 07:57:35.000000000 -0600
+++ apparmor-2.7.0/profiles/apparmor.d/abstractions/base	2012-02-09 08:01:13.000000000 -0600
+@@ -86,6 +86,7 @@
+   @{PROC}/meminfo                r,
+   @{PROC}/stat                   r,
+   @{PROC}/cpuinfo                r,
+  /sys/devices/system/cpu/online r,
+ 
+   # glibc's *printf protections read the maps file
+   @{PROC}/*/maps                 r,
--- a/apparmor-dnsmasq-profile-fix.patch
+++ b/apparmor-dnsmasq-profile-fix.patch
@ -0,0 +1,17 @@
+---
+ profiles/apparmor.d/usr.sbin.dnsmasq |    3 +++
+ 1 file changed, 3 insertions(+)
+
+=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
+--- apparmor-2.7.2.orig/profiles/apparmor.d/usr.sbin.dnsmasq	2012-01-09 20:08:19 +0000
+++ apparmor-2.7.2/profiles/apparmor.d/usr.sbin.dnsmasq	2012-04-16 21:10:18 +0000
+@@ -9,7 +9,7 @@
+ #
+ # ------------------------------------------------------------------
+ 
+-@{TFTP_DIR}=/var/tftp
+@{TFTP_DIR}=/var/tftp /srv/tftpboot
+ 
+ #include <tunables/global>
+ /usr/sbin/dnsmasq {
+
--- a/apparmor-r2022-log-parser-network-bnc755923.patch
+++ b/apparmor-r2022-log-parser-network-bnc755923.patch
@ -0,0 +1,308 @@
+------------------------------------------------------------
+revno: 2022
+fixes bug: https://launchpad.net/bugs/800826
+committer: Steve Beattie <sbeattie@ubuntu.com>
+branch nick: apparmor
+timestamp: Fri 2012-04-06 15:59:04 -0700
+message:
+  libapparmor: add support for ip addresses and ports
+  
+  Bugs: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/800826
+    https://bugzilla.novell.com/show_bug.cgi?id=755923
+  
+  This patch modifies the libapparmor log parsing code to add support
+  for the additional ip address and port keywords that can occur in
+  network rejection rules. The laddr and faddr keywords stand for local
+  address and foreign address respectively.
+  
+  The regex used to match an ip address is not very strict, to hopefully
+  catch the formats that the kernel emits for ipv6 addresses; however,
+  because this is in a context triggered by the addr keywords, it should
+  not over-eagerly consume non-ip addresses. Said addresses are returned
+  as strings in the struct to be processed by the calling application.
+
+
+=== modified file 'libraries/libapparmor/src/aalogparse.h'
+--- libraries/libapparmor/src/aalogparse.h	2011-02-23 22:02:45 +0000
+++ libraries/libapparmor/src/aalogparse.h	2012-04-06 22:59:04 +0000
+@@ -141,6 +141,10 @@
+ 	char *net_family;
+ 	char *net_protocol;
+ 	char *net_sock_type;
+	char *net_local_addr;
+	unsigned long net_local_port;
+	char *net_foreign_addr;
+	unsigned long net_foreign_port;
+ } aa_log_record;
+ 
+ /**
+
+=== modified file 'libraries/libapparmor/src/grammar.y'
+--- libraries/libapparmor/src/grammar.y	2011-11-30 19:07:48 +0000
+++ libraries/libapparmor/src/grammar.y	2012-04-06 22:59:04 +0000
+@@ -83,6 +83,7 @@
+ %token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
+ %token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
+ %token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
+%token <t_str> TOK_IP_ADDR
+ 
+ %token TOK_EQUALS
+ %token TOK_COLON
+@@ -133,6 +134,10 @@
+ %token TOK_KEY_CAPNAME
+ %token TOK_KEY_OFFSET
+ %token TOK_KEY_TARGET
+%token TOK_KEY_LADDR
+%token TOK_KEY_FADDR
+%token TOK_KEY_LPORT
+%token TOK_KEY_FPORT
+ 
+ %token TOK_SYSLOG_KERNEL
+ 
+@@ -268,6 +273,14 @@
+ 	{ /* target was always name2 in the past */
+ 	  ret_record->name2 = $3;
+ 	}
+	| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_local_addr = $3;}
+	| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_foreign_addr = $3;}
+	| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_local_port = $3;}
+	| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_foreign_port = $3;}
+ 	| TOK_MSG_REST
+ 	{
+ 		ret_record->event = AA_RECORD_INVALID;
+
+=== modified file 'libraries/libapparmor/src/scanner.l'
+--- libraries/libapparmor/src/scanner.l	2011-11-30 19:07:48 +0000
+++ libraries/libapparmor/src/scanner.l	2012-04-06 22:59:04 +0000
+@@ -133,8 +133,15 @@
+ key_capname		"capname"
+ key_offset		"offset"
+ key_target		"target"
+key_laddr		"laddr"
+key_faddr		"faddr"
+key_lport		"lport"
+key_fport		"fport"
+ audit			"audit"
+ 
+/* network addrs */
+ip_addr			[a-f[:digit:].:]{3,}
+
+ /* syslog tokens */
+ syslog_kernel		kernel{colon}
+ syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
+@@ -149,6 +156,7 @@
+ %x dmesg_timestamp
+ %x safe_string
+ %x audit_types
+%x ip_addr
+ %x other_audit
+ %x unknown_message
+ 
+@@ -201,6 +209,12 @@
+ 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
+ 	}
+ 
+<ip_addr>{
+	{ip_addr}	{ yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
+	{equals}	{ return(TOK_EQUALS); }
+	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
+	}
+
+ <audit_types>{
+ 	{equals}	{ return(TOK_EQUALS); }
+ 	{digits}	{ yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
+@@ -270,6 +284,10 @@
+ {key_capname}		{ return(TOK_KEY_CAPNAME); }
+ {key_offset}		{ return(TOK_KEY_OFFSET); }
+ {key_target}		{ return(TOK_KEY_TARGET); }
+{key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_lport}		{ return(TOK_KEY_LPORT); }
+{key_fport}		{ return(TOK_KEY_FPORT); }
+ 
+ {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
+ {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
+
+=== modified file 'libraries/libapparmor/testsuite/test_multi.c'
+--- libraries/libapparmor/testsuite/test_multi.c	2010-07-26 16:20:02 +0000
+++ libraries/libapparmor/testsuite/test_multi.c	2012-04-06 22:59:04 +0000
+@@ -51,6 +51,18 @@
+ 	return ret;
+ }
+ 
+#define print_string(description, var) \
+	if ((var) != NULL) { \
+		printf("%s: %s\n", (description), (var)); \
+	}
+
+/* unset is the value that the library sets to the var to indicate
+   that it is unset */
+#define print_long(description, var, unset) \
+	if ((var) != (unsigned long) (unset)) { \
+		printf("%s: %ld\n", (description), (var)); \
+	}
+
+ int print_results(aa_log_record *record)
+ {
+ 		printf("Event type: ");
+@@ -185,6 +197,11 @@
+ 		{
+ 			printf("Protocol: %s\n", record->net_protocol);
+ 		}
+		print_string("Local addr", record->net_local_addr);
+		print_string("Foreign addr", record->net_foreign_addr);
+		print_long("Local port", record->net_local_port, 0);
+		print_long("Foreign port", record->net_foreign_port, 0);
+
+ 		printf("Epoch: %lu\n", record->epoch);
+ 		printf("Audit subid: %u\n", record->audit_sub_id);
+ 	return(0);
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_01.err'
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_01.in'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_01.in	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_01.in	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,1 @@
+Apr  5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_01.out'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_01.out	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_01.out	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.66.150
+Foreign addr: 192.168.66.200
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_02.err'
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_02.in'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_02.in	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_02.in	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,1 @@
+Apr  5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_02.out'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_02.out	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_02.out	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_network_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_03.err'
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_03.in'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_03.in	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_03.in	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,1 @@
+type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_03.out'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_03.out	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_03.out	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,15 @@
+START
+File: test_multi/testcase_network_03.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1333648169.009:11707146
+Operation: accept
+Profile: /usr/lib/dovecot/imap-login
+Command: imap-login
+Parent: 25932
+PID: 5049
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local port: 143
+Epoch: 1333648169
+Audit subid: 11707146
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_04.err'
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_04.in'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_04.in	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_04.in	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,1 @@
+type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_04.out'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_04.out	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_04.out	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_04.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333697181.284:273901
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1056
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::1
+Foreign addr: ::1
+Local port: 2048
+Foreign port: 33986
+Epoch: 1333697181
+Audit subid: 273901
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_05.err'
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_05.in'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_05.in	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_05.in	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,1 @@
+type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6
+
+=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_05.out'
+--- libraries/libapparmor/testsuite/test_multi/testcase_network_05.out	1970-01-01 00:00:00 +0000
+++ libraries/libapparmor/testsuite/test_multi/testcase_network_05.out	2012-04-06 22:59:04 +0000
+@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_05.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333698107.128:273917
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1875
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::ffff:127.0.0.1
+Foreign addr: ::ffff:127.0.0.1
+Local port: 2048
+Foreign port: 59180
+Epoch: 1333698107
+Audit subid: 273917
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Mon Apr 16 21:16:41 UTC 2012 - opensuse@cboltz.de
+
+- replace patch for dnsmasq profile with upstream patch (bnc#738905)
+
+-------------------------------------------------------------------
+Fri Apr 13 22:22:27 UTC 2012 - opensuse@cboltz.de
+
+- add apparmor-r2022-log-parser-network-bnc755923.patch - logprof didn't
+  create network rules because of changed log format (bnc#755923, lp#800826)
+- add profile for samba winbindd (bnc#748499)
+
+-------------------------------------------------------------------
+Fri Apr  6 13:38:11 CEST 2012 - mszeredi@suse.cz
+
+- fix dnsmasq profile (bnc#738905)
+
+-------------------------------------------------------------------
+Thu Feb  9 19:01:07 UTC 2012 - opensuse@cboltz.de
+
+- add 0001-fix-for-lp929531.patch to allow reading 
+  /sys/devices/system/cpu/online in abstractions/base (lp#929531)
+
 -------------------------------------------------------------------
 Tue Jan 31 09:53:06 UTC 2012 - opensuse@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -54,6 +54,12 @@ Source1:        %{name}-profile-editor.png
 Source2:        %{name}-profile-editor.desktop
 Source3:        update-trans.sh

+# profile for winbindd (bnc#748499, not upstreamed yet)
+Source4:        usr.sbin.winbindd
+
+# add "/sys/devices/system/cpu/online r" to abstractions/base. Will be included in upstream > 2.7.2
+Patch:          0001-fix-for-lp929531.patch
+
 # enable caching of profiles (= massive performance speedup when loading profiles)
 Patch1:         apparmor-enable-profile-cache.diff

@ -77,6 +83,12 @@ Patch15:        apparmor-remove-repo
 # remove after 12.1 release - bnc#720617 #c7
 Patch21:        apparmor-utils-subdomain-compat

+# bnc#738905 - commited upstream (after 2.7.2)
+Patch22:        apparmor-dnsmasq-profile-fix.patch
+
+# bnc#755923 / lp#800826 - logprof etc. ignores network log entries because of changed log format. from upstream r2022 (2.8 beta5 will have it)
+Patch23:        apparmor-r2022-log-parser-network-bnc755923.patch
+
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -142,18 +154,18 @@ BuildRequires:  pkgconfig(dbus-1)
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
-Obsoletes:      subdomain_parser < %{version}
-Obsoletes:      subdomain-parser < %{version}
-Obsoletes:      subdomain-parser-demo < %{version}
-Obsoletes:      subdomain-parser-common < %{version}
-Obsoletes:      subdomain-leaf-cert < %{version}
 Obsoletes:      libimnxcert < %{version}
-Provides:       subdomain_parser = %{version}
-Provides:       subdomain-parser = %{version}
-Provides:       subdomain-parser-demo = %{version}
-Provides:       subdomain-parser-common = %{version}
-Provides:       subdomain-leaf-cert = %{version}
+Obsoletes:      subdomain-leaf-cert < %{version}
+Obsoletes:      subdomain-parser < %{version}
+Obsoletes:      subdomain-parser-common < %{version}
+Obsoletes:      subdomain-parser-demo < %{version}
+Obsoletes:      subdomain_parser < %{version}
 Provides:       libimnxcert = %{version}
+Provides:       subdomain-leaf-cert = %{version}
+Provides:       subdomain-parser = %{version}
+Provides:       subdomain-parser-common = %{version}
+Provides:       subdomain-parser-demo = %{version}
+Provides:       subdomain_parser = %{version}
 Provides:       apparmor-parser(CAP_SYSLOG)

 %description parser
@ -401,6 +413,7 @@ SubDomain.

 %prep
 %setup -q -n %{name}-%{versiondir}
+%patch  -p1
 %patch1 -p1
 %patch2 -p0
 %patch5 -p1
@ -409,6 +422,12 @@ SubDomain.
 %patch12 -p1
 #%patch15 -p1 # obsolete, see above
 %patch21 -p1
+%patch22 -p1
+%patch23 -p0
+
+# profile for winbindd (bnc#748499, not upstreamed yet)
+test ! -e profiles/apparmor.d/usr.sbin.winbindd
+cp %{SOURCE4} profiles/apparmor.d/

 %build
 export SUSE_ASNEEDED=0
--- a/usr.sbin.winbindd
+++ b/usr.sbin.winbindd
@ -0,0 +1,35 @@
+# Last Modified: Mon Mar 26 20:28:18 2012
+#include <tunables/global>
+
+/usr/sbin/winbindd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  /etc/samba/dhcp.conf r,
+  /etc/samba/passdb.tdb rwk,
+  /etc/samba/secrets.tdb rwk,
+  /proc/sys/kernel/core_pattern r,
+  /tmp/.winbindd/ w,
+  /usr/lib*/samba/idmap/*.so mr,
+  /usr/lib*/samba/nss_info/*.so mr,
+  /usr/sbin/winbindd mr,
+  /var/lib/samba/account_policy.tdb rwk,
+  /var/lib/samba/gencache.tdb rwk,
+  /var/lib/samba/gencache_notrans.tdb rwk,
+  /var/lib/samba/group_mapping.tdb rwk,
+  /var/lib/samba/messages.tdb rwk,
+  /var/lib/samba/netsamlogon_cache.tdb rwk,
+  /var/lib/samba/serverid.tdb rwk,
+  /var/lib/samba/winbindd_cache.tdb rwk,
+  /var/lib/samba/winbindd_privileged/pipe w,
+  /var/log/samba/cores/ rw,
+  /var/log/samba/cores/winbindd/ rw,
+  /var/log/samba/cores/winbindd/** rw,
+  /var/log/samba/log.wb-* w,
+  /var/log/samba/log.winbindd rw,
+  /{var/,}run/samba/winbindd.pid rwk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.winbindd>
+
+}