I'm having to add the following just to allow samba to be started by systemd, and I'm still missing net_admin capa, which I'm reluctant to add:
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -24,12 +24,22 @@
capability sys_resource,
capability sys_tty_config,
+ # when started by systemd
+ ptrace read peer=unconfined,
+
/etc/mtab r,
/etc/netgroup r,
/etc/printcap r,
/etc/samba/* rwk,
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,
+
+ # https://gitlab.com/apparmor/apparmor/-/issues/203
+ # needed when smbd is started by systemd
+ @{PROC}/1/environ r,
+ @{PROC}/cmdline r,
+ @{PROC}/sys/kernel/osrelease r,
+
/usr/lib*/samba/vfs/*.so mr,
/usr/lib*/samba/auth/*.so mr,
/usr/lib*/samba/charset/*.so mr,
@@ -51,6 +61,8 @@
@{run}/samba/ncalrpc/ rw,
@{run}/samba/ncalrpc/** rw,
@{run}/samba/smbd.pid rw,
+ # when started by systemd
+ @{run}/systemd/notify w,
/var/spool/samba/** rw,
@{HOMEDIRS}/** lrwk,
With the above, I only get this alert now:
[Mon Nov 29 14:18:54 2021] audit: type=1400 audit(1638195535.664:42): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1046 comm="smbd" capability=12 capname="net_admin"
And only when starting smbd with systemd. Looks like we will have to live with that one, if I understood the comments in the usptream bug correctly.
I'm having to add the following just to allow samba to be started by systemd, and I'm still missing net_admin capa, which I'm reluctant to add: apparmor. d/usr.sbin. smbd apparmor. d/usr.sbin. smbd
--- a/profiles/
+++ b/profiles/
@@ -24,12 +24,22 @@
capability sys_resource,
capability sys_tty_config,
+ # when started by systemd /@{pid} /mounts r, /sys/kernel/ core_pattern r, /gitlab. com/apparmor/ apparmor/ -/issues/ 203 /sys/kernel/ osrelease r, lib*/samba/ vfs/*.so mr, lib*/samba/ auth/*. so mr, lib*/samba/ charset/ *.so mr, /samba/ ncalrpc/ rw, /samba/ ncalrpc/ ** rw, /samba/ smbd.pid rw, systemd/ notify w, spool/samba/ ** rw,
+ ptrace read peer=unconfined,
+
/etc/mtab r,
/etc/netgroup r,
/etc/printcap r,
/etc/samba/* rwk,
@{PROC}
@{PROC}
+
+ # https:/
+ # needed when smbd is started by systemd
+ @{PROC}/1/environ r,
+ @{PROC}/cmdline r,
+ @{PROC}
+
/usr/
/usr/
/usr/
@@ -51,6 +61,8 @@
@{run}
@{run}
@{run}
+ # when started by systemd
+ @{run}/
/var/
@{HOMEDIRS}/** lrwk,
With the above, I only get this alert now: 5.664:42) : apparmor="ALLOWED" operation="capable" profile="smbd" pid=1046 comm="smbd" capability=12 capname="net_admin"
[Mon Nov 29 14:18:54 2021] audit: type=1400 audit(163819553
And only when starting smbd with systemd. Looks like we will have to live with that one, if I understood the comments in the usptream bug correctly.