Control: reopen -1 Am 01.04.19 um 23:52 schrieb Steven Monai:
Hi Steve, > As of now, this bug still affects Buster. Thanks for reporting. I don't have samba AD with bind9 running on Buster, your feedback is appreciated. > When the apparmor profile 'usr.sbin.named' is set to 'enforce' mode > (which it is, by default), the 'bind9' service fails to start, and the > log informs me of this: > > Apr 1 09:04:59 dc1 kernel: [ 21.422095] audit: type=1400 > audit(1554134699.848:10): apparmor="DENIED" operation="open" > profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" > pid=403 comm="isc-worker0000" requested_mask="r" denied_mask="r" > fsuid=108 ouid=0 Have you configured /var/lib/samba/bind-dns/named.conf manually by any chance? On my stretch system this file is in /var/lib/samba/private, which is whitelisted based on the reports in this bug in the apparmor policy. > When the 'usr.sbin.named' profile is set to 'complain' mode, the 'bind9' > service is able to start successfully, and the log records the following > lines: > > Apr 1 09:18:35 dc1 kernel: [ 836.519140] audit: type=1400 > audit(1554135515.061:13): apparmor="ALLOWED" operation="open" > profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" > pid=1123 comm="isc-worker0000" requested_mask="r" denied_mask="r" > fsuid=108 ouid=0 > Apr 1 09:18:35 dc1 kernel: [ 836.681568] audit: type=1400 > audit(1554135515.221:14): apparmor="ALLOWED" operation="file_mmap" > profile="/usr/sbin/named" > name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" pid=1123 > comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 > Apr 1 09:18:35 dc1 kernel: [ 836.708281] audit: type=1400 > audit(1554135515.249:15): apparmor="ALLOWED" operation="file_mmap" > profile="/usr/sbin/named" > name="/usr/lib/x86_64-linux-gnu/samba/gensec/krb5.so" pid=1123 > comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 > Apr 1 09:18:35 dc1 kernel: [ 836.726233] audit: type=1400 > audit(1554135515.269:16): apparmor="ALLOWED" operation="file_mmap" > profile="/usr/sbin/named" > name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/asq.so" pid=1123 > comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 > Apr 1 09:18:35 dc1 kernel: [ 836.726597] audit: type=1400 > audit(1554135515.269:17): apparmor="ALLOWED" operation="file_mmap" > profile="/usr/sbin/named" > name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/ldap.so" pid=1123 > comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 > Apr 1 09:18:35 dc1 kernel: [ 836.728118] audit: type=1400 > audit(1554135515.269:18): apparmor="ALLOWED" operation="file_mmap" > profile="/usr/sbin/named" > name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/ldb.so" pid=1123 > comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 > Apr 1 09:18:35 dc1 kernel: [ 836.728753] audit: type=1400 > audit(1554135515.269:19): apparmor="ALLOWED" operation="file_mmap" > profile="/usr/sbin/named" > name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/mdb.so" pid=1123 > comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 > Apr 1 09:18:35 dc1 kernel: [ 836.729100] audit: type=1400 > audit(1554135515.269:20): apparmor="ALLOWED" operation="file_mmap" > profile="/usr/sbin/named" > name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_results.so" > pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" > fsuid=108 ouid=0 > Apr 1 09:18:35 dc1 kernel: [ 836.729404] audit: type=1400 > audit(1554135515.269:21): apparmor="ALLOWED" operation="file_mmap" > profile="/usr/sbin/named" > name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_searches.so" > pid=1123 comm="isc-worker0000" requested_mask="m" denied_mask="m" > fsuid=108 ouid=0 > Apr 1 09:18:35 dc1 kernel: [ 836.729696] audit: type=1400 > audit(1554135515.269:22): apparmor="ALLOWED" operation="file_mmap" > profile="/usr/sbin/named" > name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/rdn_name.so" pid=1123 > comm="isc-worker0000" requested_mask="m" denied_mask="m" fsuid=108 ouid=0 > > I am uncertain how best to update the 'usr.sbin.named' profile so that > the bind9 service will start and function correctly while confined by > apparmor. Please advise. Try adding this into /etc/apparmor.d/local/usr.sbin.named /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm, /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm, /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm, and reload apparmor. Does this help? I need to read up on bind9+samba again that the default paths are. Bernhard