Bug#920530: apparmor: Apparmour breaks bind/named DLZ with samba

Wed, 30 Jan 2019 02:39:27 -0800 

Hi,

> >      /usr/lib/x86_64-linux-gnu/samba/** rm,
> >      /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
> >      /var/lib/samba/private/dns.keytab r,
> >      /var/lib/samba/private/named.conf r,
> >      /var/lib/samba/private/dns/** rwk,
> >      /etc/smb.conf r,
> 
> > ...but obviously I'd like someone who knows what they're doing to have a 
> > look 
> > first as it's possible those permissions are too loose (like I say, I'm 
> > still 
> > a-learnin'). If and when I get an opportunity to test this I'll report back 
> > as 
> > to whether it works.
> 
> I'm not familiar with the BIND/Samba integration and I've never
> touched the usr.sbin.named profile myself, and I'm not sure who's
> upstream for it (surely the maintainers of BIND will know), so just my
> 2 cts:
> 
>  - Regarding the 2 lines about /usr/lib/..., they are probably already
>    covered by these lines from /etc/apparmor.d/abstractions/base,
>    which usr.sbin.named includes:
> 
>     /{usr/,}lib/@{multiarch}/**            r,
>     /{usr/,}lib/@{multiarch}/lib*.so*      mr,
>     /{usr/,}lib/@{multiarch}/**/lib*.so*   mr,
> 
>    It would be nice to actually test whether they're needed.
>    The above sample rules don't feel crazy so I say go ahead,
>    experiment with them and find out if which ones are needed
>    and if they're enough :)

They are indeed covered by the includes.

> Thanks for the clarification. In my /etc/apparmor.d/usr.sbin.named however
> the includes for abstractions/base and abstractions/nameservice are hashed
> out - I certainly didn't comment these out myself. As the top of the file
> currently reads:

Ever saw a C program ;)?

>  - Regarding the 3 paths under /var/lib/samba/private: are they common
>    practice, well documented, or something you happened to come up
>    with locally?

It's default in Debian.

>    If the former, and assuming they don't break a security boundary
>    that could be expected by users of BIND and Samba that do *not*
>    wish to integrate them with each other, then it would probably make
>    sense to add them to the profile.

> As you say, for those not using bind with samba integration I'm not sure how
> the config should be handled but I *think* the parts of
> /var/lib/samba/private involved are all named-specific so having them
> enabled on a permanent basis shouldn't represent a security risk (but again
> I'm not an expert).

I tend to confirm this view.

-nik

Attachment: signature.asc
Description: PGP signature

Reply via email to