[Samba] apparmor profile for samba4+bind9.9: writes to /var/tmp?
Brian Candler
b.candler at pobox.com
Tue Jun 17 08:16:38 MDT 2014
From Ubuntu 14.04, I have installed Samba 4.1.6 and bind 9.9.5 and have
them working together as per
https://wiki.samba.org/index.php/DNS_Backend_BIND
To make it work I had to add the following overrides to
/etc/apparmor.d/local/usr.sbin.named:
# Samba4 DLZ and Active Directory Zones
/usr/lib/x86_64-linux-gnu/samba/** rm,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
However, dynamic DNS updates from samba_dnsupdate are still causing
apparmor to trip up because bind is trying to create a file in /var/tmp:
Jun 17 14:59:06 trusty kernel: [ 9163.550869] type=1400
audit(1403013546.668:222): apparmor="DENIED" operation="mknod"
profile="/usr/sbin/named" name="/var/tmp/DNS_107" pid=9281 comm="named"
requested_mask="c" denied_mask="c" fsuid=107 ouid=107
I can fix this with:
/var/tmp/DNS_* rw,
but this just seems wrong to me; it would be better to tell bind to use
a proper directory like /var/cache/bind.
Anyone have any idea why bind is writing to /var/tmp? I can see nothing
in my configuration which points to this directory. Could it be the
dlz_bind9_9.so module which is doing this, or something else?
The file /var/tmp/DNS_107 is left around afterwards, and appears to have
the contents of the DNS update in it.
# hexdump -C /var/tmp/DNS_107
00000000 05 01 2c 01 00 00 01 00 00 00 00 78 00 00 00 48
|..,........x...H|
00000010 41 53 48 3a 43 34 45 34 44 46 33 34 45 30 31 35
|ASH:C4E4DF34E015|
00000020 33 33 33 45 35 39 32 31 45 38 42 44 44 31 37 45
|333E5921E8BDD17E|
00000030 41 43 35 37 20 32 36 3a 54 52 55 53 54 59 24 40 |AC57
26:TRUSTY$@|
00000040 52 45 41 4c 4d 58 2e 57 53 2e 4e 53 52 43 2e 4f
|REALMX.WS.NSRC.O|
00000050 52 47 20 34 38 3a 44 4e 53 2f 74 72 75 73 74 79 |RG
48:DNS/trusty|
00000060 2e 72 65 61 6c 6d 78 2e 77 73 2e 6e 73 72 63 2e
|.realmx.ws.nsrc.|
00000070 6f 72 67 40 52 45 41 4c 4d 58 2e 57 53 2e 4e 53
|org at REALMX.WS.NS|
00000080 52 43 2e 4f 52 47 00 ed 74 0e 00 e4 4b a0 53 1b
|RC.ORG..t...K.S.|
... etc
Thanks,
Brian.
More information about the samba
mailing list