Bug#958934: apparmor weirdness

Thu, 19 Aug 2021 17:33:23 -0700 

I had my head buried in the sand on this until this week when bullseye got 
released and my bind9 package I had pinned to "stable" upgraded and predictably 
broke again.

This time, I was able to review Marc's message from 20 February, which was 
quite interesting.

I also found two conflicting profiles ("usr/sbin/named" and "named"), of which 
it appears that "named" is produced by /etc/apparmor.d/usr.sbin.named and 
"/usr/sbin/named" is coming from .... I have no idea where it is coming from. 
;-)

I found the following short-term workaround let me get it started:

# aa-remove-unknown -n
Warning: found usr.sbin.chronyd in /etc/apparmor.d/force-complain, forcing 
complain mode
Would remove 'docker-default'
Would remove '/usr/sbin/named'
# aa-remove-unknown
Warning: found usr.sbin.chronyd in /etc/apparmor.d/force-complain, forcing 
complain mode
Removing 'docker-default'
Removing '/usr/sbin/named'
# systemctl start bind9
# systemctl status -l bind9
● named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: 
enabled)
     Active: active (running) since Thu 2021-08-19 20:03:31 EDT; 2s ago
       Docs: man:named(8)
   Main PID: 86681 (named)
      Tasks: 26 (limit: 38349)
     Memory: 158.9M
        CPU: 93ms
     CGroup: /system.slice/named.service
             └─86681 /usr/sbin/named -f -u bind

Aug 19 20:03:31 buzz named[86681]: /etc/bind/db.ldap:1: no TTL specified; using 
SOA MINTTL instead
Aug 19 20:03:31 buzz named[86681]: zone ldap.troy.cartasoft.com/IN: loaded 
serial 2021061500
Aug 19 20:03:31 buzz named[86681]: zone troy.cartasoft.com/IN: loaded serial 
2021070200
Aug 19 20:03:31 buzz named[86681]: all zones loaded
Aug 19 20:03:31 buzz named[86681]: running
Aug 19 20:03:31 buzz named[86681]: zone 1.1.16.in-addr.arpa/IN: sending 
notifies (serial 2021070200)
Aug 19 20:03:31 buzz named[86681]: zone ldap.troy.cartasoft.com/IN: sending 
notifies (serial 2021061500)
Aug 19 20:03:31 buzz named[86681]: zone troy.cartasoft.com/IN: sending notifies 
(serial 2021070200)
Aug 19 20:03:31 buzz named[86681]: managed-keys-zone: Key 20326 for zone . is 
now trusted (acceptance timer complete)
Aug 19 20:03:32 buzz named[86681]: resolver priming query complete
#

I don't have any clue whatsoever where the "extra" profile is coming from... 
But I presume at this point this is looking like an apparmor problem rather 
than a bind9 problem.

FYI,
-Scott

Reply via email to