[Samba] apparmor profile for samba4+bind9.9: writes to /var/tmp?

Brian Candler b.candler at pobox.com
Tue Jun 17 08:16:38 MDT 2014 

 From Ubuntu 14.04, I have installed Samba 4.1.6 and bind 9.9.5 and have 
them working together as per
https://wiki.samba.org/index.php/DNS_Backend_BIND

To make it work I had to add the following overrides to 
/etc/apparmor.d/local/usr.sbin.named:

# Samba4 DLZ and Active Directory Zones
/usr/lib/x86_64-linux-gnu/samba/** rm,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,

However, dynamic DNS updates from samba_dnsupdate are still causing 
apparmor to trip up because bind is trying to create a file in /var/tmp:

Jun 17 14:59:06 trusty kernel: [ 9163.550869] type=1400 
audit(1403013546.668:222): apparmor="DENIED" operation="mknod" 
profile="/usr/sbin/named" name="/var/tmp/DNS_107" pid=9281 comm="named" 
requested_mask="c" denied_mask="c" fsuid=107 ouid=107

I can fix this with:

/var/tmp/DNS_* rw,

but this just seems wrong to me; it would be better to tell bind to use 
a proper directory like /var/cache/bind.

Anyone have any idea why bind is writing to /var/tmp? I can see nothing 
in my configuration which points to this directory. Could it be the 
dlz_bind9_9.so module which is doing this, or something else?

The file /var/tmp/DNS_107 is left around afterwards, and appears to have 
the contents of the DNS update in it.

# hexdump -C /var/tmp/DNS_107
00000000  05 01 2c 01 00 00 01 00  00 00 00 78 00 00 00 48 
|..,........x...H|
00000010  41 53 48 3a 43 34 45 34  44 46 33 34 45 30 31 35 
|ASH:C4E4DF34E015|
00000020  33 33 33 45 35 39 32 31  45 38 42 44 44 31 37 45 
|333E5921E8BDD17E|
00000030  41 43 35 37 20 32 36 3a  54 52 55 53 54 59 24 40  |AC57 
26:TRUSTY$@|
00000040  52 45 41 4c 4d 58 2e 57  53 2e 4e 53 52 43 2e 4f 
|REALMX.WS.NSRC.O|
00000050  52 47 20 34 38 3a 44 4e  53 2f 74 72 75 73 74 79  |RG 
48:DNS/trusty|
00000060  2e 72 65 61 6c 6d 78 2e  77 73 2e 6e 73 72 63 2e 
|.realmx.ws.nsrc.|
00000070  6f 72 67 40 52 45 41 4c  4d 58 2e 57 53 2e 4e 53 
|org at REALMX.WS.NS|
00000080  52 43 2e 4f 52 47 00 ed  74 0e 00 e4 4b a0 53 1b 
|RC.ORG..t...K.S.|
... etc

Thanks,

Brian.

More information about the samba mailing list