Ubuntu
samba package

samba apparmor profile log entries for /var/run/msg.lock/*

Bug #1593502 reported by Ian Nicholson
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

samba fills /var/log/kern.log with the following apparmor logs:

Jun 16 19:13:40 [HOSTNAME REDACTED] kernel: [227932.160779] audit: type=1400 audit(1466122420.559:3350): apparmor="ALLOWED" operation="unlink" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/10454" pid=10454 comm="smbd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: samba 2:4.3.9+dfsg-0ubuntu0.15.10.2
ProcVersionSignature: Ubuntu 4.2.0-38.45-generic 4.2.8-ckt10
Uname: Linux 4.2.0-38-generic x86_64
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Jun 16 19:16:59 2016
InstallationDate: Installed on 2014-12-11 (553 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Alpha amd64 (20141210)
OtherFailedConnect: Yes
SambaServerRegression: Yes
SmbConfIncluded: No
SourcePackage: samba
UpgradeStatus: Upgraded to wily on 2016-01-14 (154 days ago)

Revision history for this message
Ian Nicholson (imnichol) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Revision history for this message
mike (mike5346874) wrote :

They are errors in the profile.
I think the default used to be complain, and they "fixed" it by disabling it -_- .

The problem is still there in 16.04 (linux mint 18.1)

here's a patch that fixes the profile.
I didn't test printing, and i'm just a noob in apparmor, so it might be possible to do it better.

Revision history for this message
mike (mike5346874) wrote :

and the full profile.

Changed in samba (Ubuntu):
status: Confirmed → Fix Committed
status: Fix Committed → Confirmed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "usr.sbin.smbd_fix.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thank you for your bug report, and apologies for taking so long to reply.

I created an Impish LXD container here, installed samba and apparmor-profiles in it, and then monitored the logs to see if I could reproduce the warnings, but apparently they have been fixed in the recent Ubuntu releases. The only messages I see on journalctl are these ones:

Oct 13 20:10:34 samba-bug1670400 audit[3074]: AVC apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=3074 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Oct 13 20:10:34 samba-bug1670400 kernel: audit: type=1400 audit(1634155834.055:54): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=3074 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Oct 13 20:10:34 samba-bug1670400 audit[3074]: AVC apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/sys/kernel/osrelease" pid=3074 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 13 20:10:34 samba-bug1670400 audit[3074]: AVC apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/1/environ" pid=3074 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 13 20:10:34 samba-bug1670400 audit[3074]: AVC apparmor="ALLOWED" operation="ptrace" profile="smbd" pid=3074 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
Oct 13 20:10:34 samba-bug1670400 audit[3074]: AVC apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/cmdline" pid=3074 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 13 20:10:34 samba-bug1670400 kernel: audit: type=1400 audit(1634155834.059:55): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/sys/kernel/osrelease" pid=3074 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 13 20:10:34 samba-bug1670400 kernel: audit: type=1400 audit(1634155834.059:56): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/1/environ" pid=3074 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 13 20:10:34 samba-bug1670400 kernel: audit: type=1400 audit(1634155834.059:57): apparmor="ALLOWED" operation="ptrace" profile="smbd" pid=3074 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
Oct 13 20:10:34 samba-bug1670400 kernel: audit: type=1400 audit(1634155834.059:58): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/cmdline" pid=3074 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 13 20:10:34 samba-bug1670400 kernel: audit: type=1400 audit(1634155834.063:59): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=3074 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Oct 13 20:10:34 samba-bug1670400 audit[3074]: AVC apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=3074 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

I am marking this bug as Incomplete in order to give the reporter time to provide a reproducer (assuming that the bug is still valid, of course).

Thanks.

Changed in samba (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for samba (Ubuntu) because there has been no activity for 60 days.]

Changed in samba (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.