samba-dcerpcd requires access to /var/cache/samba/names.tdb.
audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0See also https://bbs.archlinux.org/viewtopic.php?id=281411
Since usr.sbin.winbindd already has a rule for it, and usr.sbin.nmbd
has similar ones, simply add /var/cache/samba/*.tdb rwk to
abstractions/samba.
(cherry picked from commit 763c4ecd, with cleanup of now-superfluous rules in usr.sbin.nmbd and usr.sbin.winbindd dropped)
Also allow access to samba pid files directly in /run/
This is a backport of !987 (merged), with the cleanup of now-superfluous rules removed.
I propose this patch for 3.x (also for 2.13 if it cleanly applies)