Steven Monai writes: >Okay. I have installed the latest bind9 from unstable (1:9.11.5.P4+dfsg-3), >and have purged my local changes to the 'local/usr.sbin.named' apparmor file.
I neglected to mention that I made the same changes to both of my test domain controllers, which are named "dc1" and "dc2". > >For now, I have also put the 'usr.sbin.named' profile in complain mode, >because I want to minimize the breakage my testing users experience. I will >watch for new apparmor="ALLOWED" logs in my system logs over the next several >days, and will report back >with my findings. (If the logs remain quiet for a few days, I will try >'enforce' mode.) Here are the relevant "complain" logs from yesterday. First, two log lines from dc1: Apr 23 09:45:07 dc1 kernel: [ 9.051546] audit: type=1400 audit(1556037907.520:10): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb" pid=419 comm="isc-worker0000" requested_mask="wrc" denied_mask="wrc" fsuid=108 ouid=0 Apr 23 09:45:07 dc1 kernel: [ 9.051717] audit: type=1400 audit(1556037907.520:11): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb" pid=419 comm="isc-worker0000" requested_mask="wk" denied_mask="wk" fsuid=108 ouid=0 Second, ten log lines from dc2: Apr 23 09:50:46 dc2 kernel: [ 7.380094] audit: type=1400 audit(1556038246.972:10): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb" pid=399 comm="isc-worker0000" requested_mask="wrc" denied_mask="wrc" fsuid=108 ouid=0 Apr 23 09:50:46 dc2 kernel: [ 7.380275] audit: type=1400 audit(1556038246.972:11): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb" pid=399 comm="isc-worker0000" requested_mask="wk" denied_mask="wk" fsuid=108 ouid=0 Apr 23 09:50:47 dc2 kernel: [ 7.405179] audit: type=1400 audit(1556038247.000:12): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=TEST,DC=AD,DC=SD57,DC=BC,DC=CA.ldb" pid=399 comm="isc-worker0000" requested_mask="wrc" denied_mask="wrc" fsuid=108 ouid=0 Apr 23 09:50:47 dc2 kernel: [ 7.405183] audit: type=1400 audit(1556038247.000:13): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=TEST,DC=AD,DC=SD57,DC=BC,DC=CA.ldb" pid=399 comm="isc-worker0000" requested_mask="wk" denied_mask="wk" fsuid=108 ouid=0 Apr 23 09:50:47 dc2 kernel: [ 7.502001] audit: type=1400 audit(1556038247.096:14): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb.d/CN=CONFIGURATION,DC=TEST,DC=AD,DC=SD57,DC=BC,DC=CA.ldb" pid=399 comm="isc-worker0000" requested_mask="wrc" denied_mask="wrc" fsuid=108 ouid=0 Apr 23 09:50:47 dc2 kernel: [ 7.502272] audit: type=1400 audit(1556038247.096:15): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb.d/CN=CONFIGURATION,DC=TEST,DC=AD,DC=SD57,DC=BC,DC=CA.ldb" pid=399 comm="isc-worker0000" requested_mask="wk" denied_mask="wk" fsuid=108 ouid=0 Apr 23 09:50:47 dc2 kernel: [ 7.560520] audit: type=1400 audit(1556038247.152:16): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb.d/DC=TEST,DC=AD,DC=SD57,DC=BC,DC=CA.ldb" pid=399 comm="isc-worker0000" requested_mask="wrc" denied_mask="wrc" fsuid=108 ouid=0 Apr 23 09:50:47 dc2 kernel: [ 7.561039] audit: type=1400 audit(1556038247.156:17): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb.d/DC=TEST,DC=AD,DC=SD57,DC=BC,DC=CA.ldb" pid=399 comm="isc-worker0000" requested_mask="wk" denied_mask="wk" fsuid=108 ouid=0 Apr 23 09:50:47 dc2 kernel: [ 7.571584] audit: type=1400 audit(1556038247.164:18): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb.d/DC=DOMAINDNSZONES,DC=TEST,DC=AD,DC=SD57,DC=BC,DC=CA.ldb" pid=399 comm="isc-worker0000" requested_mask="wrc" denied_mask="wrc" fsuid=108 ouid=0 Apr 23 09:50:47 dc2 kernel: [ 7.571822] audit: type=1400 audit(1556038247.164:19): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/dns/sam.ldb.d/DC=DOMAINDNSZONES,DC=TEST,DC=AD,DC=SD57,DC=BC,DC=CA.ldb" pid=399 comm="isc-worker0000" requested_mask="wk" denied_mask="wk" fsuid=108 ouid=0 >From the above logs, it appears to me that the 'usr.sbin.named' apparmor >profile in bind9 version 1:9.11.5.P4+dfsg-3 is still missing some rule(s) to >cover the use-case of Samba BIND9_DLZ for buster. Perhaps a rule like this >would suffice to silence the logs I showed above: /var/lib/samba/bind-dns/dns/** rwk, Finally, I don't see anything in the apparmor profile to deal with the following three logs, which I reported previously: Apr 23 00:49:42 dc1 kernel: [1525968.058180] audit: type=1400 audit(1556005782.883:36): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/named" name="/var/tmp/krb5_RCD4Hak1" pid=426 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=108 ouid=108 Apr 23 00:49:42 dc1 kernel: [1525968.058465] audit: type=1400 audit(1556005782.883:37): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/var/tmp/krb5_RCD4Hak1" pid=426 comm="isc-worker0000" requested_mask="wrc" denied_mask="wrc" fsuid=108 ouid=108 Apr 23 00:49:43 dc1 kernel: [1525968.189027] audit: type=1400 audit(1556005783.019:38): apparmor="ALLOWED" operation="rename_src" profile="/usr/sbin/named" name="/var/tmp/krb5_RCD4Hak1" pid=426 comm="isc-worker0000" requested_mask="wrd" denied_mask="wrd" fsuid=108 ouid=108 Perhaps a rule like this would suffice to cover these logs: /var/tmp/krb5_* rwk, I have added the two rules I suggested to '/etc/apparmor.d/local/usr.sbin.named' on both of my test servers. My testing continues with the 'usr.sbin.named' profile in 'complain' mode. I will continue to report back here with my findings. -S.M.