Comment 2 for bug 1952242

I'm having to add the following just to allow samba to be started by systemd, and I'm still missing net_admin capa, which I'm reluctant to add:
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -24,12 +24,22 @@
   capability sys_resource,
   capability sys_tty_config,

+ # when started by systemd
+ ptrace read peer=unconfined,
+
   /etc/mtab r,
   /etc/netgroup r,
   /etc/printcap r,
   /etc/samba/* rwk,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
+
+ # https://gitlab.com/apparmor/apparmor/-/issues/203
+ # needed when smbd is started by systemd
+ @{PROC}/1/environ r,
+ @{PROC}/cmdline r,
+ @{PROC}/sys/kernel/osrelease r,
+
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
@@ -51,6 +61,8 @@
   @{run}/samba/ncalrpc/ rw,
   @{run}/samba/ncalrpc/** rw,
   @{run}/samba/smbd.pid rw,
+ # when started by systemd
+ @{run}/systemd/notify w,
   /var/spool/samba/** rw,

   @{HOMEDIRS}/** lrwk,

With the above, I only get this alert now:
[Mon Nov 29 14:18:54 2021] audit: type=1400 audit(1638195535.664:42): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1046 comm="smbd" capability=12 capname="net_admin"

And only when starting smbd with systemd. Looks like we will have to live with that one, if I understood the comments in the usptream bug correctly.