Greetings. As of now, this bug still affects Buster.
I have installed samba (2:4.9.4+dfsg-4), bind9 (1:9.11.5.P4+dfsg-1), and apparmor (2.13.2-9). In my testing environment, Samba is configured as an Active Directory controller, and it is using the BIND_DLZ backend for DNS. When the apparmor profile 'usr.sbin.named' is set to 'enforce' mode (which it is, by default), the 'bind9' service fails to start, and the log informs me of this: Apr 1 09:04:59 dc1 kernel: [ 21.422095] audit: type=1400 audit(1554134699.848:10): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=403 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 When the 'usr.sbin.named' profile is set to 'complain' mode, the 'bind9' service is able to start successfully, and the log records the following lines: Apr 1 09:18:35 dc1 kernel: [ 836.519140] audit: type=1400 audit(1554135515.061:13): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=1123 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 Apr 1 09:18:35 dc1 kernel: [ 836.681568] audit: type=1400 audit(1554135515.221:14): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 Apr 1 09:18:35 dc1 kernel: [ 836.708281] audit: type=1400 audit(1554135515.249:15): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/gensec/krb5.so" pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 Apr 1 09:18:35 dc1 kernel: [ 836.726233] audit: type=1400 audit(1554135515.269:16): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/asq.so" pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 Apr 1 09:18:35 dc1 kernel: [ 836.726597] audit: type=1400 audit(1554135515.269:17): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/ldap.so" pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 Apr 1 09:18:35 dc1 kernel: [ 836.728118] audit: type=1400 audit(1554135515.269:18): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/ldb.so" pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 Apr 1 09:18:35 dc1 kernel: [ 836.728753] audit: type=1400 audit(1554135515.269:19): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/mdb.so" pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 Apr 1 09:18:35 dc1 kernel: [ 836.729100] audit: type=1400 audit(1554135515.269:20): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_results.so" pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 Apr 1 09:18:35 dc1 kernel: [ 836.729404] audit: type=1400 audit(1554135515.269:21): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_searches.so" pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 Apr 1 09:18:35 dc1 kernel: [ 836.729696] audit: type=1400 audit(1554135515.269:22): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/rdn_name.so" pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 I am uncertain how best to update the 'usr.sbin.named' profile so that the bind9 service will start and function correctly while confined by apparmor. Please advise. Thanks, -S.M.
