[Samba] Debian Buster, bind_dlz, and apparmor
Dale Schroeder
dale at BriannasSaladDressing.com
Mon Nov 27 20:53:32 UTC 2017
Last week, Debian testing (Buster) added apparmor to the list of
dependencies for its latest kernel release, apparently because systemd
needs it. Recently, I noticed my first casualty - bind9 - due to
apparmor failures with bind_dlz.
Here is the initial journalctl results:
Nov 23 10:12:12 debpdc named[16080]: starting BIND 9.10.6-Debian
<id:9d1ea0b> -f -u bind
Nov 23 10:12:12 debpdc named[16080]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--with-python=python3' '--localstatedir=/' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-gost=no' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so'
'--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time
-D_FORTIFY_SOURCE=2'
Nov 23 10:12:12 debpdc named[16080]: loading configuration from
'/etc/bind/named.conf'
Nov 23 10:12:12 debpdc named[16080]: reading built-in trusted keys from
file '/etc/bind/bind.keys'
Nov 23 10:12:12 debpdc audit[16080]: AVC apparmor="DENIED"
operation="file_mmap" profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 10:12:12 debpdc named[16080]: dlz_dlopen failed to open library
'/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' -
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map
segment from shared object
Nov 23 10:12:12 debpdc kernel: audit: type=1400
audit(1511453532.759:44): apparmor="DENIED" operation="file_mmap"
profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Main process exited,
code=exited, status=1/FAILURE
Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Failed with result
'exit-code'.
After reading the Samba Wiki and adding the entries to apparmor's bind
file (converting to Debian's paths), the errors have changed to:
Nov 23 11:40:36 debpdc named[20235]: starting BIND 9.10.6-Debian
<id:9d1ea0b> -f -u bind
Nov 23 11:40:36 debpdc named[20235]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--with-python=python3' '--localstatedir=/' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-gost=no' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so'
'--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time
-D_FORTIFY_SOURCE=2'
Nov 23 11:40:36 debpdc named[20235]: loading configuration from
'/etc/bind/named.conf'
Nov 23 11:40:36 debpdc named[20235]: reading built-in trusted keys from
file '/etc/bind/bind.keys'
Nov 23 11:40:36 debpdc audit[20235]: AVC apparmor="DENIED"
operation="file_mmap" profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 11:40:36 debpdc named[20235]: dlz_dlopen failed to open library
'/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' -
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map
segment from shared object
Nov 23 11:40:36 debpdc kernel: audit: type=1400
audit(1511458836.920:67): apparmor="DENIED" operation="file_mmap"
profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Main process exited,
code=exited, status=1/FAILURE
Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Failed with result
'exit-code'.
The one entry that I wasn't totally sure that I converted the path
correctly is this one:
/usr/local/samba/lib/** rm,
I used /var/lib/samba/** as the path.
Knowing next to nothing about apparmor, what is needed to fix this, and
what further info do you need from me?
Thanks,
Dale
More information about the samba
mailing list