https://progress.opensuse.org/https://progress.opensuse.org/themes/openSUSE/favicon/favicon.ico?15829177842017-08-26T06:23:22ZopenSUSE Project Management ToolinvisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=609902017-08-26T06:23:22Zflaccostefan@invis-server.org
<ul><li><strong>Category</strong> set to <i>Developement</i></li></ul> invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=609982017-08-26T09:36:46Zflaccostefan@invis-server.org
<ul><li><strong>Due date</strong> set to <i>2017-09-01</i></li></ul> invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=611402017-08-29T07:56:57Zflaccostefan@invis-server.org
<ul><li><strong>% Done</strong> changed from <i>10</i> to <i>30</i></li></ul><p>Samba Profiles renewed. Joining the AD domain works now.</p>
invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=613002017-08-29T19:45:09Zflaccostefan@invis-server.org
<ul><li><strong>% Done</strong> changed from <i>30</i> to <i>40</i></li></ul><p>New apparmor profiles for sssd added, aparmor profiles for samba AD renewed.</p>
invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=616462017-09-02T15:03:59Zflaccostefan@invis-server.org
<ul><li><strong>Due date</strong> changed from <i>2017-09-01</i> to <i>2017-09-09</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li><li><strong>% Done</strong> changed from <i>40</i> to <i>80</i></li></ul><p>It seems that samba AD and sssd are now working with aktivated apparmor. Now we should test it for a while.</p>
invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=636562017-09-09T10:19:54Zflaccostefan@invis-server.org
<ul><li><strong>% Done</strong> changed from <i>80</i> to <i>90</i></li></ul> invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=636742017-09-09T16:12:00Zcboltzsuse-beta@cboltz.de
<ul></ul><p>Did you need to add more rules to the smbd, nmbd or winbindd profile or one of the abstractions (besides what we added at FrOSCon)? If yes, please tell me so that I can integrate it in the official profiles/abstractions.</p>
<p>I might be able to do AppArmor maintenance updates with the updated profiles (and some other fixes). For this, knowing your schedule (when do you need the updated packages?) would be helpful ;-) (getting upstream maintenance releases usually takes some days, and the openSUSE maintenance process typically needs two weeks)</p>
<p>Also, if you want a review of the added profiles, tell me where I can find them ;-)</p>
invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=638262017-09-11T12:55:10Zflaccostefan@invis-server.org
<ul><li><strong>Target version</strong> set to <i>13.0</i></li></ul> invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=638302017-09-11T14:14:40Zflaccostefan@invis-server.org
<ul></ul><p>cboltz wrote:</p>
<blockquote>
<p>Did you need to add more rules to the smbd, nmbd or winbindd profile or one of the abstractions (besides what we added at FrOSCon)? If yes, please tell me so that I can integrate it in the official profiles/abstractions.</p>
</blockquote>
<p>I've added two new profiles "sssd" and "sssd_be". They are still "work in progress"....</p>
<blockquote>
<p>I might be able to do AppArmor maintenance updates with the updated profiles (and some other fixes). For this, knowing your schedule (when do you need the updated packages?) would be helpful ;-) (getting upstream maintenance releases usually takes some days, and the openSUSE maintenance process typically needs two weeks)</p>
<p>Also, if you want a review of the added profiles, tell me where I can find them ;-)</p>
</blockquote>
<p>You find our profiles in github: <a href="https://github.com/invisserver/invisAD-setup/tree/master/usr/share/sine/templates/samba_ad/apparmor" class="external">https://github.com/invisserver/invisAD-setup/tree/master/usr/share/sine/templates/samba_ad/apparmor</a></p>
<p>It would be nice, if you can have a look on it.</p>
<p>We don't have a fix schedule for this. At the moment we install our profiles out of our invisAD-setup RPM by just copying them from our templatedir to /etc/apparmor.d. If they are ready we can bring them upstream.</p>
<p>Thank you for your support.</p>
<p>Stefan</p>
invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=638462017-09-11T16:17:54Zflaccostefan@invis-server.org
<ul><li><strong>Assignee</strong> set to <i>flacco</i></li></ul> invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=638602017-09-11T21:45:52Zcboltzsuse-beta@cboltz.de
<ul></ul><p>The changes to existing profiles are (compared to what AppArmor bzr contains):</p>
<a name="ntpd"></a>
<h2 >ntpd<a href="#ntpd" class="wiki-anchor">¶</a></h2>
<pre><code>+ /var/lib/sss/mc/initgroups r,
</code></pre>
<p>(covered by the upstream change in abstractions/nameservice, so you can drop the custom ntpd profile when the updated abstraction gets shipped)</p>
<a name="smbd"></a>
<h2 >smbd<a href="#smbd" class="wiki-anchor">¶</a></h2>
<pre><code>+ /dev/urandom rw,
+ /usr/lib{,32,64}/** mr,
+ /var/lib/sss/mc/initgroups r,
</code></pre>
<p><em>writing</em> to /dev/urandom surprises me - any idea why this could be done?</p>
<p>The <code>/usr/lib{,32,64}/** mr,</code> addition looks too broad to me. Can you please remove it and use more specific rules? (It's easy to merge multiple rules using a wildcard later, but making an overly broad rule more restrictive is close to impossible.)</p>
<p>sss/mc/initgroups is covered by the updated abstractions/nameservice</p>
<a name="nmbd"></a>
<h2 >nmbd<a href="#nmbd" class="wiki-anchor">¶</a></h2>
<p>matches the latest upstream profile</p>
<a name="winbindd"></a>
<h2 >winbindd<a href="#winbindd" class="wiki-anchor">¶</a></h2>
<pre><code>+ /usr/lib{,32,64}/** mr,
- /usr/lib*/samba/gensec/krb*.so mr,
</code></pre>
<p>Again, <code>/usr/lib{,32,64}/** mr,</code> looks too broad. Can you please remove it and use more specific rules? (Re-adding the deleted <code>gensec/krb*.so</code> rule might save you some log events ;-)</p>
<a name="added-profiles"></a>
<h1 >added profiles<a href="#added-profiles" class="wiki-anchor">¶</a></h1>
<p>I only had a quick look at the new profiles, so please take the following more as impressions, not as a full review:</p>
<a name="sssd_be"></a>
<h2 >sssd_be<a href="#sssd_be" class="wiki-anchor">¶</a></h2>
<pre><code>/usr/lib{,32,64}/** mr,
</code></pre>
<p>too broad, see above</p>
<a name="samba_dnsupdate"></a>
<h2 >samba_dnsupdate<a href="#samba_dnsupdate" class="wiki-anchor">¶</a></h2>
<pre><code> /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so} mrw,
</code></pre>
<p>I'd recommend to remove this rule. <code>mr</code> is covered by abstractions/python, and samba_dnsupdate shouldn't be allowed to write those files. (Better open a bugreport about the *.pyc write attemps, it generally points to missing python cache files in the package.)</p>
<a name="samba_kcc"></a>
<h2 >samba_kcc<a href="#samba_kcc" class="wiki-anchor">¶</a></h2>
<pre><code>/usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so} mrw,
/tmp/* w,
/var/tmp/* w,
</code></pre>
<p>For the python files, see above.</p>
<p>For /tmp/ and /var/tmp/, two notes:</p>
<ul>
<li>if there is a filename pattern (for example <code>/tmp/samba_kcc_*</code>), then use it instead of just <code>*</code></li>
<li>rules for world-writeable directories should have the owner conditional whenever possible -> <code>owner /tmp/* w,</code></li>
</ul>
<a name="sssd"></a>
<h2 >sssd<a href="#sssd" class="wiki-anchor">¶</a></h2>
<pre><code>/usr/lib/sssd/sssd_be px,
/usr/lib{,32,64}/** mr,
</code></pre>
<p>Do you really need to preserve environment variables in this exec? Otherwise please use <code>Px</code>.</p>
<p>Also, we have the overly broad <code>/usr/lib{,32,64}/** mr,</code> rule again.</p>
invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=638702017-09-12T05:17:49Zflaccostefan@invis-server.org
<ul></ul><p>Hi Christian,</p>
<p>thank's a lot for your input. I try to implement your suggestions. Apparmor is very new for me, but your objections sounds reasonable. I let you know if i've further questions.</p>
<p>Stefan</p>
invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=638962017-09-12T07:55:07Zflaccostefan@invis-server.org
<ul></ul><p>Hi Christian,</p>
<p>I have just renewed our apparmor Profiles. You may have a look at them.</p>
<p>Stefan</p>
invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=644962017-09-15T12:33:30Zflaccostefan@invis-server.org
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>90</i> to <i>100</i></li></ul><p>Some Tests with the lates profiles done: joining a domain with win7 and win10 works. Joining the domain with openSUSE/Samba/sssd works. Access to the Samba shares works.</p>
<p>There are perhaps some optimizations possible, but for invis 13.0 it works. </p>
invisAD-setup - action #23652: create apparmor profiles for samba ad componentshttps://progress.opensuse.org/issues/23652?journal_id=998262018-03-10T17:44:20Zingogoeppert
<ul><li><strong>Project</strong> changed from <i>invis-server</i> to <i>invisAD-setup</i></li><li><strong>Category</strong> deleted (<del><i>Developement</i></del>)</li><li><strong>Target version</strong> deleted (<del><i>13.0</i></del>)</li></ul>