Ubuntu
apparmor package

Default apparmor profiles for nmbd and smbd cause DENIED entries in kern.log on default install

Bug #652562 reported by LSL
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Low
Jamie Strandboge

Bug Description

Binary package hint: apparmor

I just have a fresh install of Maverick release candidate 64bit, and i have apparmor-profiles installed as well as the samba sharing service auto installed by ubuntu when you right click to share a folder, and I am getting denial entries in the kern.log

Sep 30 15:54:05 Sector7 kernel: [ 3686.105659] type=1400 audit(1285887244.988:139): apparmor="DENIED" operation="chmod" parent=1 profile="/usr/sbin/smbd" name="/var/log/samba/cores/" pid=32530 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 30 15:54:05 Sector7 kernel: [ 3686.273848] type=1400 audit(1285887245.158:140): apparmor="DENIED" operation="chmod" parent=1 profile="/usr/sbin/nmbd" name="/var/log/samba/cores/" pid=32537 comm="nmbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 30 16:13:55 Sector7 kernel: [ 46.467110] type=1400 audit(1285888435.347:40): apparmor="DENIED" operation="chmod" parent=1 profile="/usr/sbin/nmbd" name="/var/log/samba/cores/" pid=1744 comm="nmbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 30 16:28:53 Sector7 kernel: [ 45.457183] type=1400 audit(1285889333.345:43): apparmor="DENIED" operation="chmod" parent=1 profile="/usr/sbin/nmbd" name="/var/log/samba/cores/" pid=1818 comm="nmbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: apparmor-profiles 2.5.1~rc1-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
NonfreeKernelModules: wl
ApparmorStatusOutput:
 Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set.
 apparmor module is loaded.
Architecture: amd64
Date: Thu Sep 30 16:32:18 2010
Dependencies:

InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release Candidate amd64 (20100928)
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: apparmor

Tags: apparmor

Related branches

lp:ubuntu/natty/apparmor
Revision history for this message
LSL (spesialstyrker) wrote :
Revision history for this message
Simon Déziel (sdeziel) wrote :

I can confirm this to also occurs on Lucid.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Simon Déziel (sdeziel) wrote :

Please ignore my previous comment as I'm using the Samba profile shipped with Maverick on Lucid.

Revision history for this message
Simon Déziel (sdeziel) wrote :

I have now confirmed that this problem also occurs with the profile shipped with Lucid. This can be avoid by adding this line to the profile :

/var/log/samba/cores/ rw,

And reloading the profile with :

apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.smbd

Jamie Strandboge (jdstrand)
tags: added: apparmor
removed: amd64 apport-bug maverick
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6~devel+bzr1617-0ubuntu1

---------------
apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low

  * Merge with upstream bzr revision 1617. Closes the following bugs:
    - LP: #692406: temporarily disable the defunct repository until an
      alternative can be used
    - LP: #649497: add ibus abstraction
    - LP: #652562: allow 'rw' to /var/log/samba/cores/
    - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules
  * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.*
    (LP: #692866)
  * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch
    and adjust debian/patches/series
  * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239):
    - allow read and write access to libvirt pid files for dnsmasq
    - allow net_admin capability for DHCP server
    - allow net_raw and network inet raw for ICMP pings when used as a DHCP
      server
  * debian/patches/0004-lp698194 (LP: #698194):
    - abstractions/private-files: don't allow wl to autostart directories
    - abstractions/private-files-strict: don't allow access to chromium,
      kwallet and popular mail clients
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 12:44:26 -0600

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.