Steven Monai writes: >My testing continues with the 'usr.sbin.named' profile in 'complain' mode. I >will continue to report back here with my findings.
Since my last report, my two test servers, still in "complain" mode, have not "complained" any further, so I'm fairly confident that the apparmor profile 'usr.sbin.named' in bind9 version 1:9.11.5.P4+dfsg-3 is sufficient for the Samba BIND9_DLZ use-case, provided that the following two rules (mentioned previously) are added: /var/lib/samba/bind-dns/dns/** rwk, /var/tmp/krb5_* rwk, I have just switched the 'usr.sbin.named' profile to "enforce" mode on my servers. I will report back with results in a few days. -S.M.
