[Samba] split horizon and authoritative answers..?
L.P.H. van Belle
belle at bazuin.nl
Tue Jul 30 10:10:24 UTC 2019
Hai,
Hm, well, i cant add that to my packages because we need to report it as bug for bind9.
Since these settings are done in usr.sbin.named.
But i can tell you, i have this for it. ( bit modified from what you showed below. )
Add this part in : local/usr.sbin.named
# Samba DLZ
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
# before of samba 4.9
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/dlz_bind9_*.so rm,
# as of samba 4.9+
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/dlz_bind9_*.so rm,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
owner /var/tmp/krb5_* rwk,
I just must say, im (still) not into apparmor, as in,..
above works for me, try it, test it, improve it, report it. ;-)
But above should/could be improved with better settings.
Also, looking at : > [1 - #include <abstractions/lxc/container-base>]
Your using lxc containers, so you might need a bit of other settings also, but that i really cant tell.
I dont use container here, but i know other list member do so,
so maybe if we are luck one replies and gives the rest of info we need. ;-)
So far,
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Joachim Lindenberg [mailto:samba at lindenberg.one]
> Verzonden: dinsdag 30 juli 2019 11:31
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: AW: [Samba] split horizon and authoritative answers..?
>
> >> What I am struggling with though is inappropriate
> >> out-of-the-box apparmor configuration. I resorted to
> >> aa-complain /usr/sbin/named...
>
> >Samba version?
> root at boa:/etc/apparmor.d# samba -V
> Version 4.10.6-Ubuntu
> root at boa:/etc/apparmor.d# named -V
> BIND 9.11.3-1ubuntu1.8-Ubuntu (Extended Support Version) <id:a375815>
>
> >And what did you change exactly.
> Obviously some configuration in /etc/bind.
>
> I added an apparmor configuration I found somewhere:
> root at boa:/etc/apparmor.d# cat local/usr.sbin.named
> # /var/lib/samba/private/named.conf
> # Samba4 DLZ and Active Directory Zones (default source installation)
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/bind-dns/named.conf r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
>
> (I added the bind-dns line).
> But that is obviously incomplete.
>
> root at boa:/etc/apparmor.d# aa-logprof
> Reading log entries from /var/log/syslog.
> Updating AppArmor profiles in /etc/apparmor.d.
> Complain-mode changes:
>
> Profile: /usr/sbin/named
> Path: /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so
> Old Mode: r
> New Mode: mr
> Severity: unknown
>
> [1 - #include <abstractions/lxc/container-base>]
> 2 - #include <abstractions/lxc/start-container>
> 3 - #include <abstractions/ubuntu-browsers.d/plugins-common>
> 4 - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_*.so mr,
> 5 - /{usr/,}lib{,32,64}/** mr,
> 6 - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so mr,
>
>
> >> any chance that this is going to be improved?
> >If i know what,i then i can tell.
> I like your attitude!
>
> Thanks, Joachim
>
>
More information about the samba
mailing list