Web lists-archives.com

Re: [Samba] Debian Buster, bind_dlz, and apparmor






On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
On Mon, 27 Nov 2017 14:53:32 -0600
Dale Schroeder via samba <samba@xxxxxxxxxxxxxxx> wrote:

Last week, Debian testing (Buster) added apparmor to the list of
dependencies for its latest kernel release, apparently because
systemd needs it.  Recently, I noticed my first casualty - bind9 -
due to apparmor failures with bind_dlz.

Knowing next to nothing about apparmor, what is needed to fix this,
and what further info do you need from me?

Thanks,
Dale
I cannot seem to find a debian kernel that has a dependency on
apparmor, can you provide a link ?

Even if debian is making the kernel depend on apparmor (by the way,
does Linus know about this  ?), this isn't a Samba problem, it is an
apparmor one.

Rowland
Rowland,

Thanks for responding.

From
http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog

[ Ben Hutchings ]
  * linux-image: Recommend apparmor, as systemd units with an AppArmor
    profile will fail without it (Closes: #880441)

So, although the word "recommend" implies that one has a choice, in reality, the kernel upgrade would not proceed without installing apparmor.

I suppose it would be possible to disable, but assuming the systemd warning is a harbinger of things to come, it seemed best to me to figure it out now.  I know systemd is not your thing, and I am inclined to agree; however, Debian sees it otherwise, leaving me to deal with it.

I asked here because there is a wiki section devoted to the topic - https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration

Thus far, SELinux has not been forced by Debian.  Regardless, since the apparmor install, I have not been able to get Bind9 to start if bind_dlz is enabled.

Thanks again,
Dale


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba