Bug#920530: apparmor: Apparmour breaks bind/named DLZ with samba

Sat, 26 Jan 2019 09:00:26 -0800 

Package: apparmor
Version: 2.11.0-3+deb9u2
Severity: normal

Dear Maintainer,
A piece of replacement kit went in requiring a newer kernel from backports, which brought in apparmour as a recommend. However in its currently shipping form this broke the bind DLZ that's used with samba (to host DNS for active directory). For those unfamiliar, DLZ = Dynamically Loadable Zone and the way it works is samba populates a zone file which bind is then pointed at to load.
Once this was spotted we didn't have a great deal of time to fix it and I eventually just placed apparmour in complain mode for named to bypass the issue; 
    aa-complain /usr/sbin/named
I did try modifying some of the config in order to get bind/samba to work, but it was my first time trying to futz apparmour and I ultimately didn't get it working. I've since discovered samba have official info on apparmour here https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration - following on from that and what I've seen in kern.log I believe the debian configuration in /etc/apparmor.d/usr.sbin.named should contain something like: 

    /usr/lib/x86_64-linux-gnu/samba/** rm,
    /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
    /var/lib/samba/private/dns.keytab r,
    /var/lib/samba/private/named.conf r,
    /var/lib/samba/private/dns/** rwk,
    /etc/smb.conf r,
...but obviously I'd like someone who knows what they're doing to have a look first as it's possible those permissions are too loose (like I say, I'm still a-learnin'). If and when I get an opportunity to test this I'll report back as to whether it works. 

-- System Information:
Debian Release: 9.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) 
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  libapparmor-perl       2.11.0-3+deb9u2
ii  libc6                  2.24-11+deb9u3
ii  lsb-base               9.20161125
ii  python3                3.5.3-1

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles        <none>
pn  apparmor-profiles-extra  <none>
ii  apparmor-utils           2.11.0-3+deb9u2

-- debconf information:
  apparmor/homedirs:

Reply via email to