Control: reopen -1
Am 01.04.19 um 23:52 schrieb Steven Monai:
Hi Steve,
> As of now, this bug still affects Buster.
Thanks for reporting. I don't have samba AD with bind9 running on
Buster, your feedback is appreciated.
> When the apparmor profile 'usr.sbin.named' is set to 'enforce' mode
> (which it is, by default), the 'bind9' service fails to start, and the
> log informs me of this:
>
> Apr 1 09:04:59 dc1 kernel: [ 21.422095] audit: type=1400
> audit(1554134699.848:10): apparmor="DENIED" operation="open"
> profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf"
> pid=403 comm="isc-worker0000" requested_mask="r" denied_mask="r"
> fsuid=108 ouid=0
Have you configured /var/lib/samba/bind-dns/named.conf manually by any
chance? On my stretch system this file is in /var/lib/samba/private,
which is whitelisted based on the reports in this bug in the apparmor
policy.
> When the 'usr.sbin.named' profile is set to 'complain' mode, the 'bind9'
> service is able to start successfully, and the log records the following
> lines:
>
> Apr 1 09:18:35 dc1 kernel: [ 836.519140] audit: type=1400
> audit(1554135515.061:13): apparmor="ALLOWED" operation="open"
> profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf"
> pid=1123 comm="isc-worker0000" requested_mask="r" denied_mask="r"
> fsuid=108 ouid=0
> Apr 1 09:18:35 dc1 kernel: [ 836.681568] audit: type=1400
> audit(1554135515.221:14): apparmor="ALLOWED" operation="file_mmap"
> profile="/usr/sbin/named"
> name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" pid=1123
> comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0
> Apr 1 09:18:35 dc1 kernel: [ 836.708281] audit: type=1400
> audit(1554135515.249:15): apparmor="ALLOWED" operation="file_mmap"
> profile="/usr/sbin/named"
> name="/usr/lib/x86_64-linux-gnu/samba/gensec/krb5.so" pid=1123
> comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0
> Apr 1 09:18:35 dc1 kernel: [ 836.726233] audit: type=1400
> audit(1554135515.269:16): apparmor="ALLOWED" operation="file_mmap"
> profile="/usr/sbin/named"
> name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/asq.so" pid=1123
> comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0
> Apr 1 09:18:35 dc1 kernel: [ 836.726597] audit: type=1400
> audit(1554135515.269:17): apparmor="ALLOWED" operation="file_mmap"
> profile="/usr/sbin/named"
> name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/ldap.so" pid=1123
> comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0
> Apr 1 09:18:35 dc1 kernel: [ 836.728118] audit: type=1400
> audit(1554135515.269:18): apparmor="ALLOWED" operation="file_mmap"
> profile="/usr/sbin/named"
> name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/ldb.so" pid=1123
> comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0
> Apr 1 09:18:35 dc1 kernel: [ 836.728753] audit: type=1400
> audit(1554135515.269:19): apparmor="ALLOWED" operation="file_mmap"
> profile="/usr/sbin/named"
> name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/mdb.so" pid=1123
> comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0
> Apr 1 09:18:35 dc1 kernel: [ 836.729100] audit: type=1400
> audit(1554135515.269:20): apparmor="ALLOWED" operation="file_mmap"
> profile="/usr/sbin/named"
> name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_results.so"
> pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m"
> fsuid=108 ouid=0
> Apr 1 09:18:35 dc1 kernel: [ 836.729404] audit: type=1400
> audit(1554135515.269:21): apparmor="ALLOWED" operation="file_mmap"
> profile="/usr/sbin/named"
> name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_searches.so"
> pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m"
> fsuid=108 ouid=0
> Apr 1 09:18:35 dc1 kernel: [ 836.729696] audit: type=1400
> audit(1554135515.269:22): apparmor="ALLOWED" operation="file_mmap"
> profile="/usr/sbin/named"
> name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/rdn_name.so" pid=1123
> comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0
>
> I am uncertain how best to update the 'usr.sbin.named' profile so that
> the bind9 service will start and function correctly while confined by
> apparmor. Please advise.
Try adding this into /etc/apparmor.d/local/usr.sbin.named
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
and reload apparmor. Does this help?
I need to read up on bind9+samba again that the default paths are.
Bernhard
