[Samba] Debian Buster, bind_dlz, and apparmor

Dale Schroeder dale at BriannasSaladDressing.com
Mon Nov 27 20:53:32 UTC 2017 

Last week, Debian testing (Buster) added apparmor to the list of 
dependencies for its latest kernel release, apparently because systemd 
needs it.  Recently, I noticed my first casualty - bind9 - due to 
apparmor failures with bind_dlz.

Here is the initial journalctl results:

Nov 23 10:12:12 debpdc named[16080]: starting BIND 9.10.6-Debian 
<id:9d1ea0b> -f -u bind
Nov 23 10:12:12 debpdc named[16080]: built with '--prefix=/usr' 
'--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' 
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' 
'--with-python=python3' '--localstatedir=/' '--enable-threads' 
'--enable-largefile' '--with-libtool' '--enable-shared' 
'--enable-static' '--with-gost=no' '--with-openssl=/usr' 
'--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld' 
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' 
'--enable-filter-aaaa' '--enable-native-pkcs11' 
'--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' 
'--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 
-fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=. 
-fstack-protector-strong -Wformat -Werror=format-security 
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE 
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time 
-D_FORTIFY_SOURCE=2'
Nov 23 10:12:12 debpdc named[16080]: loading configuration from 
'/etc/bind/named.conf'
Nov 23 10:12:12 debpdc named[16080]: reading built-in trusted keys from 
file '/etc/bind/bind.keys'
Nov 23 10:12:12 debpdc audit[16080]: AVC apparmor="DENIED" 
operation="file_mmap" profile="/usr/sbin/named" 
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080 
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 10:12:12 debpdc named[16080]: dlz_dlopen failed to open library 
'/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' - 
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map 
segment from shared object
Nov 23 10:12:12 debpdc kernel: audit: type=1400 
audit(1511453532.759:44): apparmor="DENIED" operation="file_mmap" 
profile="/usr/sbin/named" 
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080 
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Main process exited, 
code=exited, status=1/FAILURE
Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Failed with result 
'exit-code'.


After reading the Samba Wiki and adding the entries to apparmor's bind 
file (converting to Debian's paths), the errors have changed to:

Nov 23 11:40:36 debpdc named[20235]: starting BIND 9.10.6-Debian 
<id:9d1ea0b> -f -u bind
Nov 23 11:40:36 debpdc named[20235]: built with '--prefix=/usr' 
'--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' 
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' 
'--with-python=python3' '--localstatedir=/' '--enable-threads' 
'--enable-largefile' '--with-libtool' '--enable-shared' 
'--enable-static' '--with-gost=no' '--with-openssl=/usr' 
'--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld' 
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' 
'--enable-filter-aaaa' '--enable-native-pkcs11' 
'--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' 
'--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 
-fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=. 
-fstack-protector-strong -Wformat -Werror=format-security 
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE 
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time 
-D_FORTIFY_SOURCE=2'
Nov 23 11:40:36 debpdc named[20235]: loading configuration from 
'/etc/bind/named.conf'
Nov 23 11:40:36 debpdc named[20235]: reading built-in trusted keys from 
file '/etc/bind/bind.keys'
Nov 23 11:40:36 debpdc audit[20235]: AVC apparmor="DENIED" 
operation="file_mmap" profile="/usr/sbin/named" 
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235 
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 11:40:36 debpdc named[20235]: dlz_dlopen failed to open library 
'/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' - 
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map 
segment from shared object
Nov 23 11:40:36 debpdc kernel: audit: type=1400 
audit(1511458836.920:67): apparmor="DENIED" operation="file_mmap" 
profile="/usr/sbin/named" 
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235 
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Main process exited, 
code=exited, status=1/FAILURE
Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Failed with result 
'exit-code'.

The one entry that I wasn't totally sure that I converted the path 
correctly is this one:

/usr/local/samba/lib/** rm,

I used /var/lib/samba/** as the path.

Knowing next to nothing about apparmor, what is needed to fix this, and 
what further info do you need from me?

Thanks,
Dale

More information about the samba mailing list