Smb file sharing and apparmor

Continuing the discussion from Basic file sharing using nemo:

I probably should have given up by now, but I’m like a dog with a bone… and keep on reading and trying things.
Your comment regarding ‘selinux’ got me thinking and I discovered that Manjaro has a similar thing ‘apparmor’ In the Archlinux wiki https://wiki.archlinux.org/title/AppArmor in section 5 Troubleshooting there is a link ‘Failing to start samba smb/cifs server’ https://wiki.archlinux.org/title/Samba#Permission_issues_on_AppArmor that maybe my issue? and I need to ‘whitelist’ my ‘share path’?? I don’t want to create more issues, and to be honest i don’t really/fully understand what’s involved so before I try that, what do you think?

Permission issues on AppArmor

If using a share path located outside of a home or usershares directory, whitelist it in /etc/apparmor.d/local/usr.sbin.smbd. E.g.:

/etc/apparmor.d/local/usr.sbin.smbd

"/data/" rk,
"/data/**" lrwk,

After editing, reload the AppArmor profile:

# apparmor_parser -r /etc/apparmor.d/usr.sbin.smbd

AppArmor is only active if you have it in your kernel boot line — check your /etc/default/grub.

Personally I’ve never had a use for it, so I have it disabled here.

Thanks yes it is present in ‘grub’

GRUB_DEFAULT=saved
GRUB_TIMEOUT=10
GRUB_TIMEOUT_STYLE=menu
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor resume=UUID=37338d05-938e-4731-bbc2-9fbad238f95d udev.log_priority=3"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

I don’t want to stuff-up ‘grub’ could you confirm the following process is correct and safe:
I remove both ‘apparmor=1’ and ‘security=apparmor’?
As I don’t use hibernation - is it safe to also remove 'resume=UUID=xxxx?
after i safe the changes, do I simply restart the system? or enter:

sudo update-grub 

Will the changes be permanent? or will they change at the next update?

They will be permanent, I did the same thing a while back…

Yes, exactly.

Absolutely.

The latter. You need to run that command in order to update the grub configuration file, i.e. /boot/grub/grub.cfg.

They will be permanent, although there is always a chance that a future .pacnew file suggests differences. But you can then ignore that.

In that case - if you don’t intend to use that function - you should also remove the “resume” keyword from the HOOKS line in the file: /etc/mkinitcpio.conf
and afterwards run:
sudo mkinitcpio -P

This will rebuild the initial ram disk (initrd) without that functionality, which would otherwise still be present and take up (a bit of) space - and time.

Make a backup of these files before you change them, so you have a reference as to what it was and can go back should you ever want to.

But before running update-grub, or else it won’t make a difference.

Thank you all, removing ‘apparmor=1 security=apparmor’ fix my issue!
I can now access the share /Data/Datalaptop
For almost 2 months I had been trying all sorts of permutation of smb.conf, change permissions, ownership, etc… but nothing worked - until now.

There was no ‘resume …’ in ‘mkinitcpio.conf’ so for now I left resume-UUIDxxx… in grub
I believe apparmor is needed to run ‘snaps’ applications. I don’t currently use snap and when I look for an application to install I always use the one in the repo or if not available, I check AUR but I think ‘snap’ makes it easier for developers so it only a matter of time before I may have to consider using ‘snap’ apps!? so if someone could tell me how to ‘white-list’ an smb share in apparmor

usr.sbin.smbd 

that would be useful for future use.

Hmm, strange.
One (the kernel parameter) doesn’t make sense without the other (the “resume”) HOOK.
Except when the keyword “systemd” is present in /etc/mkinitcpio.conf HOOKS
which, to my knowledge, isn’t the default.

no matter - if it works, it works …

See attached ‘mkinitcpio.conf’ most is commented out, just 1 line active

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=()

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect modconf kms block keyboard keymap consolefont resume filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
#COMPRESSION="zstd"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

# MODULES_DECOMPRESS
# Decompress kernel modules during initramfs creation.
# Enable to speedup boot process, disable to save RAM
# during early userspace. Switch (yes/no).
#MODULES_DECOMPRESS="yes"

Anyway samba sharing now works - so all good
I’m not sure what post I should be marking as ‘Solution’ as the solution is a combination of the previous post the turning off of ‘AppArmor’

Another option was to put smb in “complain” mode, that always was enough if I remember it right.

Is there any real reason not to uninstall apparmor? If I’m using my computer alone and running httpd over LAN only do I need apparmor? It seems to just get in the way.

What does it do?
What does it do for you?
Do you need what it does? Also considering that it is one more thing to maintain.

For me the answers lead to: no, I don’t need it - and I disable and uninstall it wherever it is present by default.

If you’re not using any of the containerized application formats — i.e. Snap, FlatPak or AppImage — then no, not really. I don’t have it installed here either.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.