Ubuntu
samba package

Bug #2009858
Comment #10

Comment 10 for bug 2009858

Revision history for this message

Francis Brosnan (francis-aspl) wrote on 2023-03-23:

#10

Just confirm it not apparmor related. In our installation, policy is in complain mode. See:

root@xxx-xxxxxx:~# aa-status
apparmor module is loaded.
63 profiles are loaded.
43 profiles are in enforce mode.
   /snap/snapd/17029/usr/lib/snapd/snap-confine
   /snap/snapd/17029/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17336/usr/lib/snapd/snap-confine
   /snap/snapd/17336/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17576/usr/lib/snapd/snap-confine
   /snap/snapd/17576/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17883/usr/lib/snapd/snap-confine
   /snap/snapd/17883/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17950/usr/lib/snapd/snap-confine
   /snap/snapd/17950/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/18357/usr/lib/snapd/snap-confine
   /snap/snapd/18357/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/18596/usr/lib/snapd/snap-confine
   /snap/snapd/18596/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   chromium_browser//browser_java
   chromium_browser//browser_openjdk
   chromium_browser//sanitized_helper
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.lxd
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
20 profiles are in complain mode.
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   chromium_browser
   chromium_browser//chromium_browser_sandbox
   chromium_browser//lsb_release
   chromium_browser//xdgsettings
   identd
   klogd
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
6 processes have profiles defined.
0 processes are in enforce mode.
6 processes are in complain mode.
   /usr/sbin/nmbd (2967123) nmbd
   /usr/sbin/smbd (2508135) smbd
   /usr/sbin/smbd (2967228) smbd
   /usr/sbin/smbd (2967230) smbd
   /usr/sbin/smbd (2967231) smbd
   /usr/sbin/smbd (2967232) smbd
0 processes are unconfined but have a profile defined.

Also, at /var/log/audit/audit.log no "denied" notification was reported. All allowed.

In any case, we tried Disabling or uninstalling AppArmor but did not make any difference. Downgrading did.

Just confirm it not apparmor related. In our installation, policy is in complain mode. See:

root@xxx-xxxxxx:~# aa-status 
apparmor module is loaded.
63 profiles are loaded.
43 profiles are in enforce mode.
   /snap/snapd/17029/usr/lib/snapd/snap-confine
   /snap/snapd/17029/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17336/usr/lib/snapd/snap-confine
   /snap/snapd/17336/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17576/usr/lib/snapd/snap-confine
   /snap/snapd/17576/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17883/usr/lib/snapd/snap-confine
   /snap/snapd/17883/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/17950/usr/lib/snapd/snap-confine
   /snap/snapd/17950/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/18357/usr/lib/snapd/snap-confine
   /snap/snapd/18357/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/18596/usr/lib/snapd/snap-confine
   /snap/snapd/18596/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   chromium_browser//browser_java
   chromium_browser//browser_openjdk
   chromium_browser//sanitized_helper
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.lxd
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
20 profiles are in complain mode.
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   chromium_browser
   chromium_browser//chromium_browser_sandbox
   chromium_browser//lsb_release
   chromium_browser//xdgsettings
   identd
   klogd
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
6 processes have profiles defined.
0 processes are in enforce mode.
6 processes are in complain mode.
   /usr/sbin/nmbd (2967123) nmbd
   /usr/sbin/smbd (2508135) smbd
   /usr/sbin/smbd (2967228) smbd
   /usr/sbin/smbd (2967230) smbd
   /usr/sbin/smbd (2967231) smbd
   /usr/sbin/smbd (2967232) smbd
0 processes are unconfined but have a profile defined.

Also, at /var/log/audit/audit.log no "denied" notification was reported. All allowed.

In any case, we tried Disabling or uninstalling AppArmor but did not make any difference. Downgrading did.

Ubuntusamba package

Comment 10 for bug 2009858

Ubuntu
samba package