Update samba profiles
profiles/apparmor.d/samba*: allow access to pid files directly in /run/
On Arch Linux, samba-dcerpcd.pid
is in /run/
, not /run/samba/
.
apparmor="DENIED" operation="mknod" profile="samba-dcerpcd" name="/run/samba-dcerpcd.pid" pid=80920 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The same is true for nmbd.pid
, smbd.pid
and probably others too.
/var/cache/samba/names.tdb
.
samba-dcerpcd requires access to audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0
See also https://bbs.archlinux.org/viewtopic.php?id=281411
Since usr.sbin.winbindd
already has a rule for it, and usr.sbin.nmbd
has similar ones, simply add /var/cache/samba/*.tdb rwk
to
abstractions/samba
.