Browsing Corsican translation

104.

There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> and <filename>/usr/sbin/nmbd</filename>, the Samba daemon binaries, as part of the <application>apparmor-profiles</application> packages. To install the package, from a terminal prompt, enter:

105.

sudo apt-get install apparmor-profiles

106.

This package contains profiles for several other binaries.

107.

By default the profiles for <application>smbd</application> and <application>nmbd</application> are in <emphasis>complain</emphasis> mode, allowing Samba to work without modifying the profile, and only logging errors. To place the <application>smbd</application> profile into <emphasis>enforce</emphasis> mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.

108.

Edit <filename>/etc/apparmor.d/usr.sbin.smbd</filename>, adding information for <emphasis>[share]</emphasis> from the file server example:

109.

/srv/samba/share/ r,
/srv/samba/share/** rwkix,

110.

Now place the profile into <emphasis>enforce</emphasis> and reload it:

111.

sudo aa-enforce /usr/sbin/smbd

112.

cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r

113.

It is now possible to read, write, and execute files in the shared directory as normal, and the <application>smbd</application> binary will have access to only the configured files and directories. Be sure to add entries for each directory that Samba is configured to share. Any errors will be logged to <filename>/var/log/syslog</filename>.