Web lists-archives.com

[Samba] Debian Buster, bind_dlz, and apparmor




Last week, Debian testing (Buster) added apparmor to the list of dependencies for its latest kernel release, apparently because systemd needs it.  Recently, I noticed my first casualty - bind9 - due to apparmor failures with bind_dlz.

Here is the initial journalctl results:

Nov 23 10:12:12 debpdc named[16080]: starting BIND 9.10.6-Debian <id:9d1ea0b> -f -u bind Nov 23 10:12:12 debpdc named[16080]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Nov 23 10:12:12 debpdc named[16080]: loading configuration from '/etc/bind/named.conf' Nov 23 10:12:12 debpdc named[16080]: reading built-in trusted keys from file '/etc/bind/bind.keys' Nov 23 10:12:12 debpdc audit[16080]: AVC apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080 comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0 Nov 23 10:12:12 debpdc named[16080]: dlz_dlopen failed to open library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map segment from shared object Nov 23 10:12:12 debpdc kernel: audit: type=1400 audit(1511453532.759:44): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080 comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0 Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Failed with result 'exit-code'.


After reading the Samba Wiki and adding the entries to apparmor's bind file (converting to Debian's paths), the errors have changed to:

Nov 23 11:40:36 debpdc named[20235]: starting BIND 9.10.6-Debian <id:9d1ea0b> -f -u bind Nov 23 11:40:36 debpdc named[20235]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Nov 23 11:40:36 debpdc named[20235]: loading configuration from '/etc/bind/named.conf' Nov 23 11:40:36 debpdc named[20235]: reading built-in trusted keys from file '/etc/bind/bind.keys' Nov 23 11:40:36 debpdc audit[20235]: AVC apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235 comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0 Nov 23 11:40:36 debpdc named[20235]: dlz_dlopen failed to open library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map segment from shared object Nov 23 11:40:36 debpdc kernel: audit: type=1400 audit(1511458836.920:67): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235 comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0 Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Failed with result 'exit-code'.

The one entry that I wasn't totally sure that I converted the path correctly is this one:

/usr/local/samba/lib/** rm,

I used /var/lib/samba/** as the path.

Knowing next to nothing about apparmor, what is needed to fix this, and what further info do you need from me?

Thanks,
Dale



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba