Update usr.sbin.winbindd profile

Winbind requires access to /var/cache/samba/msg.lock/*. Move msg.lock/ to abstractions/samba. On Arch Linux Winbind's pid is set to /run/winbindd.pid. Signed-off-by: nl6720 <nl6720@gmail.com>
2025-08-30 22:05:27 +00:00 · 2019-08-06 17:04:35 +03:00
parent 2e304f82fc
commit 54dc60ff5b
4 changed files with 3 additions and 4 deletions
--- a/profiles/apparmor.d/abstractions/samba
+++ b/profiles/apparmor.d/abstractions/samba
@@ -22,6 +22,8 @@
  /var/log/samba/* w,
  /{,var/}run/samba/ w,
  /{,var/}run/samba/*.tdb rw,
+  /{{var/,}run,var/cache}/samba/msg.lock/ rwk,
+  /{{var/,}run,var/cache}/samba/msg.lock/[0-9]* rwk,

  # required for clustering
  /var/lib/ctdb/** rwk,
--- a/profiles/apparmor.d/usr.sbin.nmbd
+++ b/profiles/apparmor.d/usr.sbin.nmbd
@@ -24,7 +24,6 @@ profile nmbd /usr/{bin,sbin}/nmbd {
  /var/{cache,lib}/samba/unexpected rw,
  /var/cache/samba/msg/ rw,
  /var/cache/samba/msg/* w,
-  /var/cache/samba/msg.lock/{,*} rwk,

  /{,var/}run/nmbd.pid rwk,
  /{,var/}run/samba/** rwk,
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -49,8 +49,6 @@ profile smbd /usr/{bin,sbin}/smbd {
  /{,var/}run/samba/ncalrpc/ rw,
  /{,var/}run/samba/ncalrpc/** rw,
  /{,var/}run/samba/smbd.pid rw,
-  /{,var/}run/samba/msg.lock/ rw,
-  /{,var/}run/samba/msg.lock/[0-9]* rwk,
  /var/spool/samba/** rw,

  @{HOMEDIRS}/** lrwk,
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@@ -28,7 +28,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
  /var/cache/krb5rcache/* rw,
  /var/cache/samba/*.tdb rwk,
  /var/log/samba/log.winbindd rw,
-  /{var/,}run/samba/winbindd.pid rwk,
+  /{var/,}run/{samba/,}winbindd.pid rwk,
  /{var/,}run/samba/winbindd/ rw,
  /{var/,}run/samba/winbindd/pipe w,
  /{var/,}run/user/*/krb5cc/* rwk,