Bug#1110985: unbound: will not start with AppArmor in enforcing mode

Brian Turek Thu, 14 Aug 2025 09:26:11 -0700

Resending with the appropriate To line:

I do unfortunately need libnss-winbind.


I should have mentioned that I previously attempted to add that pipe
to a local addition to the AppArmor protocol and it didn't help. Here
was my /etc/apparmor.d/local/usr.sbin.unbound:
    /run/samba/winbindd/pipe rw,

Here's the Complain audit log:
[118042.338643] audit: type=1400
audit(1755187980.146:820):apparmor="STATUS"
operation="profile_replace" profile="unconfined"name="unbound"
pid=927953 comm="apparmor_parser"
[118043.577014] audit: type=1400
audit(1755187981.384:821):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=927968 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118043.577030] audit: type=1400
audit(1755187981.384:822):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=927968 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118043.578034] audit: type=1400
audit(1755187981.385:823):apparmor="ALLOWED" operation="capable"
class="cap" profile="unbound"pid=927968 comm="unbound" capability=12
capname="net_admin"
[118043.578685] audit: type=1400
audit(1755187981.386:824):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=927968 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118043.579738] audit: type=1400
audit(1755187981.387:825):apparmor="ALLOWED" operation="create"
class="net" info="failedprotocol match" error=-13 profile="unbound"
pid=927968 comm="unbound" family="unix" sock_type="dgram" protocol=0
requested="create"denied="create" addr=none
[118043.579762] audit: type=1400
audit(1755187981.387:826):apparmor="ALLOWED" operation="create"
class="net" info="failedprotocol match" error=-13 profile="unbound"
pid=927968 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118043.579776] audit: type=1400
audit(1755187981.387:827):apparmor="ALLOWED" operation="create"
class="net" info="failedprotocol match" error=-13 profile="unbound"
pid=927968 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118043.580050] audit: type=1400
audit(1755187981.387:828):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=927968 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118043.717810] audit: type=1400
audit(1755187981.525:829):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=927968 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none

So the winbind pipe needs to be added to the profile but it's not the
underlying problem.

If I remove the local AppAmor modification and remove all references
to wins and winbind in /etc/nsswitch.conf, it still won't start:

Enforcing log:
[118339.058213] audit: type=1400 audit(1755188276.869:876):
apparmor="STATUS" operation="profile_replace" profile="unconfined"
name="unbound" pid=930594 comm="apparmor_parser"
[118340.386319] audit: type=1400 audit(1755188278.197:877):
apparmor="DENIED" operation="create" class="net" info="failed protocol
match" error=-13 profile="unbound" pid=929938 comm="unbound"
family="unix" sock_type="dgram" protocol=0
requested="create"denied="create" addr=none
[118340.435786] audit: type=1400
audit(1755188278.247:878):apparmor="DENIED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=930699 comm="unbound"family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118340.435790] audit: type=1400
audit(1755188278.247:879):apparmor="DENIED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=930699 comm="unbound"family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118340.436718] audit: type=1400
audit(1755188278.247:880):apparmor="DENIED" operation="capable"
class="cap" profile="unbound"pid=930699 comm="unbound" capability=12
capname="net_admin"
[118340.437370] audit: type=1400
audit(1755188278.248:881):apparmor="DENIED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=930699 comm="unbound"family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118340.845239] audit: type=1400
audit(1755188278.656:882):apparmor="DENIED" operation="create"
class="net" info="failed protocolmatch" error=-13 profile="unbound"
pid=930744 comm="unbound"family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118340.845243] audit: type=1400
audit(1755188278.656:883):apparmor="DENIED" operation="create"
class="net" info="failed protocolmatch" error=-13 profile="unbound"
pid=930744 comm="unbound"family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118340.846177] audit: type=1400
audit(1755188278.657:884):apparmor="DENIED" operation="capable"
class="cap" profile="unbound"pid=930744 comm="unbound" capability=12
capname="net_admin"
[118340.846847] audit: type=1400
audit(1755188278.658:885):apparmor="DENIED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=930744 comm="unbound"family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none

Complain log:
[118356.454014] audit: type=1400
audit(1755188294.264:898):apparmor="STATUS"
operation="profile_replace" profile="unconfined" name="unbound"
pid=931019 comm="apparmor_parser"
[118358.060412] audit: type=1400
audit(1755188295.870:899):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=931028 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118358.060427] audit: type=1400
audit(1755188295.870:900):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=931028 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118358.061367] audit: type=1400
audit(1755188295.871:901):apparmor="ALLOWED" operation="capable"
class="cap" profile="unbound"pid=931028 comm="unbound" capability=12
capname="net_admin"
[118358.062018] audit: type=1400
audit(1755188295.872:902):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=931028 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118358.063060] audit: type=1400
audit(1755188295.873:903):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=931028 comm="unbound" family="unix" sock_type="dgram" protocol=0
requested="create"denied="create" addr=none
[118358.063084] audit: type=1400
audit(1755188295.873:904):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=931028 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118358.063098] audit: type=1400
audit(1755188295.873:905):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=931028 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118358.065697] audit: type=1400
audit(1755188295.876:906):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=931028 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none
[118358.065703] audit: type=1400
audit(1755188295.876:907):apparmor="ALLOWED" operation="create"
class="net" info="failed protocol match" error=-13 profile="unbound"
pid=931028 comm="unbound" family="unix" sock_type="stream" protocol=0
requested="create"denied="create" addr=none

On Thu, Aug 14, 2025 at 5:53 PM Michael Tokarev <[email protected]> wrote:
>
> On 14.08.2025 18:47, Brian Turek wrote:
> > Here's the audit output:
>
> ...
> > [116331.915023] audit: type=1400 audit(1755186269.709:723):
> > apparmor="ALLOWED" operation="connect" class="file" profile="unbound"
> > name="/run/samba/winbindd/pipe" pid=913729 comm="unbound"
> > requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
>
> Now that's fun.
>
> I suppose you have libnss-winbind installed.
> Do you actually need it?
> Can you check if unbound will work without this
> module in /etc/nsswitch.conf?
>
> Thanks,
>
> /mjt
>

Bug#1110985: unbound: will not start with AppArmor in enforcing mode

Reply via email to