Bug#920530: marked as done (apparmor: Apparmour breaks bind/named DLZ with samba)

Tue, 02 Apr 2019 13:48:38 -0700 

Your message dated Tue, 02 Apr 2019 20:44:51 +0000
with message-id <[email protected]>
and subject line Bug#920530: fixed in bind9 1:9.11.5.P4+dfsg-2
has caused the Debian Bug report #920530,
regarding apparmor: Apparmour breaks bind/named DLZ with samba
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
920530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920530
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: apparmor
Version: 2.11.0-3+deb9u2
Severity: normal

Dear Maintainer,
A piece of replacement kit went in requiring a newer kernel from backports, which brought in apparmour as a recommend. However in its currently shipping form this broke the bind DLZ that's used with samba (to host DNS for active directory). For those unfamiliar, DLZ = Dynamically Loadable Zone and the way it works is samba populates a zone file which bind is then pointed at to load.
Once this was spotted we didn't have a great deal of time to fix it and I eventually just placed apparmour in complain mode for named to bypass the issue; 
    aa-complain /usr/sbin/named
I did try modifying some of the config in order to get bind/samba to work, but it was my first time trying to futz apparmour and I ultimately didn't get it working. I've since discovered samba have official info on apparmour here https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration - following on from that and what I've seen in kern.log I believe the debian configuration in /etc/apparmor.d/usr.sbin.named should contain something like: 

    /usr/lib/x86_64-linux-gnu/samba/** rm,
    /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
    /var/lib/samba/private/dns.keytab r,
    /var/lib/samba/private/named.conf r,
    /var/lib/samba/private/dns/** rwk,
    /etc/smb.conf r,
...but obviously I'd like someone who knows what they're doing to have a look first as it's possible those permissions are too loose (like I say, I'm still a-learnin'). If and when I get an opportunity to test this I'll report back as to whether it works. 

-- System Information:
Debian Release: 9.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) 
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  libapparmor-perl       2.11.0-3+deb9u2
ii  libc6                  2.24-11+deb9u3
ii  lsb-base               9.20161125
ii  python3                3.5.3-1

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles        <none>
pn  apparmor-profiles-extra  <none>
ii  apparmor-utils           2.11.0-3+deb9u2

-- debconf information:
  apparmor/homedirs:

--- End Message ---
--- Begin Message --- 
Source: bind9
Source-Version: 1:9.11.5.P4+dfsg-2

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Apr 2019 21:12:50 +0200
Source: bind9
Architecture: source
Version: 1:9.11.5.P4+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Closes: 905177 920530 923984
Changes:
 bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium
 .
   [ Ondřej Surý ]
   * Update d/gbp.conf for Debian Buster
 .
   [ Bernhard Schmidt ]
   * Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately
     expiring and deleting old DNSSEC keys when being run for the first
     time (Closes: #923984)
   * Update AppArmor policy for Samba AD DLZ
     - Add changed default location for named.conf
     - Allow read/mmap on some Samba libraries
     Thanks to Steven Monai (Closes: #920530)
 .
   [ Andreas Beckmann ]
   * bind9.preinst: cope with ancient conffile named.conf.options
     (Closes: #905177)
Checksums-Sha1:
 3c850ef765e25e817929c25b93760ee7b7fd8f8f 3948 bind9_9.11.5.P4+dfsg-2.dsc
 631957d500f611c874afacbb1b6585a732fa684b 91296 
bind9_9.11.5.P4+dfsg-2.debian.tar.xz
 558a5dbcf7a62c7173ee9d0813a1a561a0012c83 19454 
bind9_9.11.5.P4+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 967b7ca732237155f20dde13757873d68d38ac731a9ce6ba5db8ec9ff14409d7 3948 
bind9_9.11.5.P4+dfsg-2.dsc
 deb000a186de7211342e5f34ba5364d939e751812719c2d09b573cf786e72c2b 91296 
bind9_9.11.5.P4+dfsg-2.debian.tar.xz
 8fc12f5872f9c1358988c1cad7eeeb454b20d604820a8e8294dadd4ef50dffdb 19454 
bind9_9.11.5.P4+dfsg-2_amd64.buildinfo
Files:
 d0e8b2672e14c992942171ef26c2c589 3948 net optional bind9_9.11.5.P4+dfsg-2.dsc
 a4c189151abbfc7b872b608fbbcc54a7 91296 net optional 
bind9_9.11.5.P4+dfsg-2.debian.tar.xz
 4c9680845a51801e25ee3dcaa9b42045 19454 net optional 
bind9_9.11.5.P4+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlyjwmkRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJPnfA//S08hyUqGzQVqY9e1XgCNuBglHocN59V0
ZdbNVab6DpJv7JygFespO86juBGA4VBo20/1dpLpzB5TgEKqrAxxI1cJW5PIrHMw
LmDwntI/DtAsFPraQWogf6NaRjxEK8CpQrZ+AuyketWN/ScsicRgXw1zr1vczVw/
TLM9VORJE3wdy5D2AgcH712wDw8d7s8qUlmiCJKvJgIjhVNlsEOJzw6ybDjIIb86
I+jT6zxYCWcF5ENDNNtoj01xLRDTAlAgSya6qN7QCaDWKUlsOSMHug+kRtjRBCvr
9KL5GDH0X1xTI5C0D34Sagg5tsJkCEd7y5dIPdrEc8s/QVW9hHa/VkPzwvdK2OqC
3slgJQP80LtKTJzvUiwGgEAk8SFNRiHiHOU3hED0/A0TLBEb4PZzjU4NPOCNrdte
d7hkISuQn1qNQ0leAm+zW1ySyqskYDXhW3eMTtC0urn0lYf5fc/G0mSBU07r6QXX
VrvuDCuuihFKp+snpBKKIzeviuHDov10cglsYVu7TYspY7a5uTgih7L6iTyBT9F+
YiYFPuNhIEThxrFqjpbfzdorEV55zvuYXavSA6DQVW5f/S/S/t1+PyDGNBt4yRYe
Rr8TdFuWtb9lPLq6OkLW7GGQrzWdRQkwr/znXv0OYIeIyPHTXZdxgMCarBkB2Ta9
Mvx2lelafBo=
=fZwg
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to