Hello, Am Donnerstag, 21. Februar 2019, 21:26:58 CET schrieb Mathieu Parent: > As a last-minute fix for buster, I want to fix "#896080 samba: Improve > AppArmor integration" [SambaAppArmor]. > > I've prepared the fixes [Diff], inspired by what is done in Suse. But > they also patch apparmor-profiles [AppArmor-Patch]. This solution does > not conforms to policy as a file owned by a package could not be > changed by another one (/etc/apparmor.d/local/usr.sbin.smbd-shares > owned by apparmor-profiles, changed by samba). > > I can add in samba's README the need to add "#include > <local/usr.sbin.smbd-shares>" in /etc/apparmor.d/usr.sbin.smbd, but > maybe you have a better solution? Maybe use dpkg-diversion?
To simplify things, I'd propose to apply a slightly modified version of https://build.opensuse.org/package/view_file/openSUSE:Factory/apparmor/apparmor-samba-include-permissions-for-shares.diff?expand=1 to the usr.sbin.smbd profile in the apparmor-profiles package: Instead of #include you {c,sh]ould use #include if exists so that it doesn't matter if local/usr.sbin.smbd-shares exists or which package creates it. That might even be an upstream-able solution because it doesn't break distributions without the autogenerated samba profile sniplet (or without the package owning that file installed). The local/usr.sbin.smbd file can then be owned by whatever package (probably samba, because that also owns the script changing the file). BTW: Minor nitpicking on https://salsa.debian.org/samba-team/samba/compare/874f9270b6f743c4d0c3eb1a1a3e1fa814bf25cc...bd4c1577a9b Can you please change the changelog to "Christian Boltz (openSUSE)" (instead of "SUSE")? ;-) Regards, Christian Boltz -- [vordefinierte Perlvariablen $_, $>, $[ usw.] >Steht eigentlich in $§ die Lizenz? ;-))) $ perl -we 'print $§' Use of uninitialized value in print at -e line 1. [> Christian Boltz und David Haller in fontlinge-devel]
signature.asc
Description: This is a digitally signed message part.
