Allow samba to follow wide link w/o disabling Apparmor

Hello, i am using opensuse 13.1 and the default samba installation. The only way i can get samba to follow a wide symlink is to set Apparmor to “complain” for smdb. I would rather not do this. I have tried adding the target directory to the samba profile in Apparmor with permissions rwlk but has no effect. Two questions:

  1. Where does Apparmor complain to, i.e. is there a log file i can check?
  2. Could someone explain how to set up Apparmor to allow this?

Thanks in advance …

FeathersMc wrote:

>
> Hello, i am using opensuse 13.1 and the default samba installation. The
> only way i can get samba to follow a wide symlink is to set Apparmor to
> “complain” for smdb. I would rather not do this. I have tried adding the
> target directory to the samba profile in Apparmor with permissions rwlk
> but has no effect. Two questions:
> 1. Where does Apparmor complain to, i.e. is there a log file i can
> check?
> 2. Could someone explain how to set up Apparmor to allow this?
>
> Thanks in advance …
>
>
FeathersMC;

  1. Look in var/log/messages. Denials show up there, I’m not positive about
    complaints. You may also find an entry in var/log/apparmor.

  2. You can use Yast2>Security and Users>Apparmor Configuration>Manage
    Existing Profiles > usr/sbin/[s,n]mbd to permit access to particular
    directories.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Thanks for the response - I did find the “complaints” from AppArmor in /var/log/messages. However I still don’t know why this isn’t working.

I have an entry in the profile for /usr/sbin/smdb in AppArmor:

/some/random/path/** r

But I still get an error message in /var/log/messages when I try to access anything under a link to /some/random/path/:

2015-01-04T12:42:33.768351+11:00 linux-xxxx kernel: 4596.595492] type=1400 audit(1420335753.764:382): apparmor=“DENIED” operation=“open” parent=3251 profile="/usr/sbin/smdb" name="/some/random/path/" pid=6272 comm=“smdb” requested_mask=“r” denied_mask=“r” fsuid=nnnn ouid=nnnn

This seems very wrong - I can’t see anything amiss with the profile set-up yet apparmor is denying access.

Any ideas on how to proceed?

Thanks …

Is it really smdb, and not smbd?
It is always better to copy and paste any configuration file or log file lines to avoid typos.

/some/random/path/** r
2015-01-04T12:42:33.768351+11:00 linux-xxxx kernel: 4596.595492] type=1400 audit(1420335753.764:382): apparmor=“DENIED” operation=“open” parent=3251 profile=“/usr/sbin/smdb” name=“/some/random/path/” pid=6272 comm=“smdb” requested_mask=“r” denied_mask=“r” fsuid=nnnn ouid=nnnn

This seems very wrong

If this error line is correct (see above about copy and paste) - this is not wrong. /some/random/path/** matches everything below directory and according to your log line smbd tries to open directory itself.

On 1/4/2015 12:56 AM, FeathersMc wrote:
>
> Thanks for the response - I did find the “complaints” from AppArmor in
> /var/log/messages. However I still don’t know why this isn’t working.
>
> I have an entry in the profile for /usr/sbin/smdb in AppArmor:
>
> /some/random/path/** r
>
> But I still get an error message in /var/log/messages when I try to
> access anything under a link to /some/random/path/:
>
> 2015-01-04T12:42:33.768351+11:00 linux-xxxx kernel: 4596.595492]
> type=1400 audit(1420335753.764:382): apparmor=“DENIED” operation=“open”
> parent=3251 profile="/usr/sbin/smdb" name="/some/random/path/" pid=6272
> comm=“smdb” requested_mask=“r” denied_mask=“r” fsuid=nnnn ouid=nnnn
>
> This seems very wrong - I can’t see anything amiss with the profile
> set-up yet apparmor is denying access.
>
> Any ideas on how to proceed?
>
> Thanks …
>
>
Did you use YaST2 to edit the profile for /usr/sbin/smbd and give read access to /some/random/path ?
If a directory is not in the AppArmor profile for smbd it is forbidden. You will need an entry for each directory you
wish to allow.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Hello,

Thanks arvidjaar and venzkep for your responses; it is working now.

Sorry about the manually typed log file entry - I couldn’t simply copy and paste (on different machines), and got lazy.

The issue was that I needed two entries in the AppArmor profile for /usr/sbin/smbd:

/some/random/path/
/some/random/path/**

to be able both to browse that directory and to access directories and files below it.

Thanks again,
FMc