[Pkg-samba-maint] Bug#896080: [pkg-apparmor] Improve samba/AppArmor integration

Christian Boltz debian-bugs at cboltz.de
Thu Feb 21 23:39:29 GMT 2019 

Hello,

Am Donnerstag, 21. Februar 2019, 21:26:58 CET schrieb Mathieu Parent:
> As a last-minute fix for buster, I want to fix "#896080 samba: Improve
> AppArmor integration" [SambaAppArmor].
> 
> I've prepared the fixes [Diff], inspired by what is done in Suse. But
> they also patch apparmor-profiles [AppArmor-Patch]. This solution does
> not conforms to policy as a file owned by a package could not be
> changed by another one (/etc/apparmor.d/local/usr.sbin.smbd-shares
> owned by apparmor-profiles, changed by samba).
> 
> I can add in samba's README the need to add "#include
> <local/usr.sbin.smbd-shares>" in /etc/apparmor.d/usr.sbin.smbd, but
> maybe you have a better solution? Maybe use dpkg-diversion?

To simplify things, I'd propose to apply a slightly modified version of
https://build.opensuse.org/package/view_file/openSUSE:Factory/apparmor/apparmor-samba-include-permissions-for-shares.diff?expand=1
to the usr.sbin.smbd profile in the apparmor-profiles package:

Instead of   #include   you {c,sh]ould use   #include if exists
so that it doesn't matter if   local/usr.sbin.smbd-shares   exists or 
which package creates it.

That might even be an upstream-able solution because it doesn't break 
distributions without the autogenerated samba profile sniplet (or without
the package owning that file installed).

The local/usr.sbin.smbd file can then be owned by whatever package
(probably samba, because that also owns the script changing the file).


BTW: Minor nitpicking on 
https://salsa.debian.org/samba-team/samba/compare/874f9270b6f743c4d0c3eb1a1a3e1fa814bf25cc...bd4c1577a9b

Can you please change the changelog to "Christian Boltz (openSUSE)" 
(instead of "SUSE")? ;-)


Regards,

Christian Boltz
-- 
[vordefinierte Perlvariablen $_, $>, $[ usw.]
>Steht eigentlich in $§ die Lizenz? ;-)))
$ perl -we 'print $§'
Use of uninitialized value in print at -e line 1.
[> Christian Boltz und David Haller in fontlinge-devel]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20190222/a261d05a/attachment.sig>

More information about the Pkg-samba-maint mailing list