Public bug reported:
I am attempting to install Samba 4 using version 4.0.0~alpha18.dfsg1-4
of samba4 on Ubuntu 12.04 beta 2 for x86-64. Installing the samba4
package, or running /usr/share/samba/setup/provision at any other time,
does not configure DNS for samba4, but it does generate an example BIND
configuration file at /var/lib/samba/private/named.conf (by default).
The official Samba 4 HOWTO http://wiki.samba.org/index.php/Samba4/HOWTO
suggests activating this configuration by adding the line
include "/var/lib/samba/private/named.conf";
to /etc/bind/named.conf.local . (Actually it gives a different path, but
this seems to be the correct one for samba4 alpha18 on Ubuntu 12.04.)
However (as anticipated in the HOWTO) this causes Apparmor problems on
Ubuntu - bind will refuse to restart, and an apparmor refusal report for
/usr/sbin/named will show up in /var/log/syslog.
sudo aa-complain /usr/sbin/named
allowed bind to restart and run, leaving the following apparmor reports
to appear in my /var/log/syslog over the first few seconds after bind's
restart:
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so" pid=10567
comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/gensec/krb5.so" pid=10567 comm="named"
requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/asq.so" pid=10567 comm="named"
requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/ldap.so" pid=10567 comm="named"
requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_results.so" pid=10567
comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_searches.so" pid=10567
comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/rdn_name.so" pid=10567
comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/ldb/acl.so" pid=10567 comm="named"
requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/ldb/aclread.so" pid=10567 comm="named"
requested_mask="m" denied_mask="m" fsuid=103 ouid=0
all appeared once, while these two messages
apparmor="ALLOWED" operation="file_lock" parent=1 profile="/usr/sbin/named"
name="/var/lib/samba/private/dns/sam.ldb" pid=10566 comm="named"
requested_mask="k" denied_mask="k" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_lock" parent=1 profile="/usr/sbin/named"
name="/var/lib/samba/private/dns/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=IRISHTOWN,DC=LOCALONLY,DC=RVCOMERFORD,DC=IE.ldb"
pid=10566 comm="named" requested_mask="k" denied_mask="k" fsuid=103 ouid=0
appeared several times.
As a workaround, adding the following to /etc/apparmor.d/usr.sbin.named
(inside the /usr/sbin/named { ... } curly brackets, of course) seems to
work, allowing named to run while in Apparmor refusal mode:
# samba4
/var/lib/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
No doubt the proper Apparmor permissions change would be a lot narrower
than this. I'm also not certain if these changes are sufficient to allow
named to run without Apparmor problems once Windows clients start
causing dynamic DNS updates.
** Affects: samba4 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/975973
Title:
bind9 config changes for samba4 cause apparmor profile conflicts
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/975973/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
