Samba profile updates for ActiveDirectory / Kerberos

The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.

As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.


Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.

profiles/apparmor.d/abstractions/nameservice

@@ -29,6 +29,7 @@
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
+  /var/lib/sss/mc/initgroups r,
   /var/lib/sss/mc/passwd  r,
   /var/lib/sss/pipes/nss  rw,
 

profiles/apparmor.d/abstractions/samba

@@ -11,6 +11,7 @@
 
   /etc/samba/* r,
   /usr/lib*/ldb/*.so mr,
+  /usr/lib*/samba/ldb/*.so mr,
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,

profiles/apparmor.d/usr.sbin.winbindd

@@ -20,6 +20,7 @@
   @{PROC}/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
   /tmp/krb5cc_* rwk,
+  /usr/lib*/samba/gensec/krb*.so mr,
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,