Default apparmor profiles for nmbd and smbd cause DENIED entries in kern.log on default install

Bug #652562 reported by LSL
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Jamie Strandboge

Bug Description

Binary package hint: apparmor

I just have a fresh install of Maverick release candidate 64bit, and i have apparmor-profiles installed as well as the samba sharing service auto installed by ubuntu when you right click to share a folder, and I am getting denial entries in the kern.log

Sep 30 15:54:05 Sector7 kernel: [ 3686.105659] type=1400 audit(1285887244.988:139): apparmor="DENIED" operation="chmod" parent=1 profile="/usr/sbin/smbd" name="/var/log/samba/cores/" pid=32530 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 30 15:54:05 Sector7 kernel: [ 3686.273848] type=1400 audit(1285887245.158:140): apparmor="DENIED" operation="chmod" parent=1 profile="/usr/sbin/nmbd" name="/var/log/samba/cores/" pid=32537 comm="nmbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 30 16:13:55 Sector7 kernel: [ 46.467110] type=1400 audit(1285888435.347:40): apparmor="DENIED" operation="chmod" parent=1 profile="/usr/sbin/nmbd" name="/var/log/samba/cores/" pid=1744 comm="nmbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 30 16:28:53 Sector7 kernel: [ 45.457183] type=1400 audit(1285889333.345:43): apparmor="DENIED" operation="chmod" parent=1 profile="/usr/sbin/nmbd" name="/var/log/samba/cores/" pid=1818 comm="nmbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: apparmor-profiles 2.5.1~rc1-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
NonfreeKernelModules: wl
ApparmorStatusOutput:
 Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set.
 apparmor module is loaded.
Architecture: amd64
Date: Thu Sep 30 16:32:18 2010
Dependencies:

InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release Candidate amd64 (20100928)
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: apparmor

Related branches

Revision history for this message
LSL (spesialstyrker) wrote :
Revision history for this message
Simon Déziel (sdeziel) wrote :

I can confirm this to also occurs on Lucid.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Simon Déziel (sdeziel) wrote :

Please ignore my previous comment as I'm using the Samba profile shipped with Maverick on Lucid.

Revision history for this message
Simon Déziel (sdeziel) wrote :

I have now confirmed that this problem also occurs with the profile shipped with Lucid. This can be avoid by adding this line to the profile :

/var/log/samba/cores/ rw,

And reloading the profile with :

apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.smbd

tags: added: apparmor
removed: amd64 apport-bug maverick
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6~devel+bzr1617-0ubuntu1

---------------
apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low

  * Merge with upstream bzr revision 1617. Closes the following bugs:
    - LP: #692406: temporarily disable the defunct repository until an
      alternative can be used
    - LP: #649497: add ibus abstraction
    - LP: #652562: allow 'rw' to /var/log/samba/cores/
    - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules
  * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.*
    (LP: #692866)
  * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch
    and adjust debian/patches/series
  * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239):
    - allow read and write access to libvirt pid files for dnsmasq
    - allow net_admin capability for DHCP server
    - allow net_raw and network inet raw for ICMP pings when used as a DHCP
      server
  * debian/patches/0004-lp698194 (LP: #698194):
    - abstractions/private-files: don't allow wl to autostart directories
    - abstractions/private-files-strict: don't allow access to chromium,
      kwallet and popular mail clients
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 12:44:26 -0600

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers