|
|
109.
|
|
|
There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> and <filename>/usr/sbin/nmbd</filename>, the Samba daemon binaries, as part of the <application>apparmor-profiles</application> packages. To install the package, from a terminal prompt enter:
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:649(para)
|
|
|
110.
|
|
|
sudo apt-get install apparmor-profiles
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:656(command) serverguide/C/security.xml:925(command)
|
|
|
111.
|
|
|
This package contains profiles for several other binaries.
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:660(para)
|
|
|
112.
|
|
|
By default the profiles for <application>smbd</application> and <application>nmbd</application> are in <emphasis>complain</emphasis> mode allowing Samba to work without modifying the profile, and only logging errors. To place the <application>smbd</application> profile into <emphasis>enforce</emphasis> mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:665(para)
|
|
|
113.
|
|
|
Edit <filename>/etc/apparmor.d/usr.sbin.smbd</filename> adding information for <emphasis>[share]</emphasis> from the file server example:
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:672(para)
|
|
|
114.
|
|
|
/srv/samba/share/ r,
/srv/samba/share/** rwkix,
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
represents a space character.
Enter a space in the equivalent position in the translation.
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:677(programlisting)
|
|
|
115.
|
|
|
Now place the profile into <emphasis>enforce</emphasis> and reload it:
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:682(para)
|
|
|
116.
|
|
|
sudo aa-enforce /usr/sbin/smbd
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:687(command)
|
|
|
117.
|
|
|
cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:688(command)
|
|
|
118.
|
|
|
You should now be able to read, write, and execute files in the shared directory as normal, and the <application>smbd</application> binary will have access to only the configured files and directories. Be sure to add entries for each directory you configure Samba to share. Also, any errors will be logged to <filename>/var/log/syslog</filename>.
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/windows-networking.xml:691(para)
|
