Accepting request 205616 from security:apparmor

- apparmor-profiles-samba4.diff, usr.sbin.winbindd: some more profile updates for samba 4.x and kerberos (bnc#846586#c12 and #c15) Please include this change in 13.1. OBS-URL: https://build.opensuse.org/request/show/205616 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=58
2013-11-04 06:04:39 +00:00 · 2013-11-04 06:04:39 +00:00 · 431fe32aeb
commit 431fe32aeb
parent 7e87bea71b ca1171db19
3 changed files with 34 additions and 10 deletions
--- a/apparmor-profiles-samba4.diff
+++ b/apparmor-profiles-samba4.diff
@ -27,7 +27,7 @@
 === modified file 'profiles/apparmor.d/usr.sbin.smbd'
 --- profiles/apparmor.d/usr.sbin.smbd	2012-01-10 18:06:24 +0000
 +++ profiles/apparmor.d/usr.sbin.smbd	2013-10-15 20:36:33 +0000
-@@ -29,7 +29,8 @@
+@@ -29,16 +29,21 @@
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
   /usr/lib*/samba/auth/script.so mr,
@ -37,7 +37,11 @@
   /usr/sbin/smbd mr,
   /usr/sbin/smbldap-useradd Px,
   /var/cache/samba/** rwk,
-@@ -39,6 +40,8 @@
+   /var/cache/samba/printing/printers.tdb mrw,
+   /var/lib/samba/** rwk,
+   /var/lib/samba/printers/** rw,
+  /var/lib/sss/mc/passwd r,
+  /var/lib/sss/pubconf/kdcinfo.* r,
   /{,var/}run/cups/cups.sock rw,
   /{,var/}run/dbus/system_bus_socket rw,
   /{,var/}run/samba/** rk,
@ -46,4 +50,16 @@
   /{,var/}run/samba/smbd.pid rw,
   /var/log/samba/cores/smbd/ rw,
   /var/log/samba/cores/smbd/** rw,
-
+Index: profiles/apparmor.d/abstractions/kerberosclient
+===================================================================
+--- profiles/apparmor.d/abstractions/kerberosclient.orig	2011-03-23 20:24:11.000000000 +0100
+++ profiles/apparmor.d/abstractions/kerberosclient	2013-11-02 15:04:27.267448981 +0100
+@@ -20,7 +20,7 @@
+   /usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
+   /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
+ 
+-  /etc/krb5.keytab            r,
+  /etc/krb5.keytab            rk,
+   /etc/krb5.conf              r,
+ 
+   # config files found via strings on libs
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat Nov  2 14:15:58 UTC 2013 - opensuse@cboltz.de
+
+- apparmor-profiles-samba4.diff, usr.sbin.winbindd: some more profile
+  updates for samba 4.x and kerberos (bnc#846586#c12 and #c15)
+
 -------------------------------------------------------------------
 Wed Oct 30 11:06:39 UTC 2013 - opensuse@cboltz.de

--- a/usr.sbin.winbindd
+++ b/usr.sbin.winbindd
@ -4,11 +4,14 @@
  #include <abstractions/base>
  #include <abstractions/nameservice>

+  deny capability block_suspend,
+
  /etc/samba/dhcp.conf r,
  /etc/samba/passdb.tdb rwk,
  /etc/samba/secrets.tdb rwk,
  /proc/sys/kernel/core_pattern r,
  /tmp/.winbindd/ w,
+  /tmp/krb5cc_* rwk,
  /usr/lib*/samba/idmap/*.so mr,
  /usr/lib*/samba/nss_info/*.so mr,
  /usr/lib*/samba/pdb/*.so mr,
@ -16,13 +19,12 @@
  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
  /var/cache/samba/*.tdb rwk,
  /var/cache/samba/netsamlogon_cache.tdb rw,
-  /var/lib/samba/account_policy.tdb rwk,
-  /var/lib/samba/gencache.tdb rwk,
-  /var/lib/samba/gencache_notrans.tdb rwk,
-  /var/lib/samba/group_mapping.tdb rwk,
-  /var/lib/samba/messages.tdb rwk,
-  /var/lib/samba/netsamlogon_cache.tdb rwk,
-  /var/lib/samba/serverid.tdb rwk,
+
+  /var/lib/samba/smb_krb5/krb5.conf.* w,
+  /var/lib/samba/smb_tmp_krb5.* rw,
+  /var/lib/samba/**.tdb rwk,
+  /var/log/samba/log.winbindd-dc-connect a,
+
  /var/lib/samba/winbindd_cache.tdb* rwk,
  /var/lib/samba/winbindd_privileged/pipe w,
  /var/log/samba/cores/ rw,