[Samba] Debian Buster, bind_dlz, and apparmor
Dale Schroeder
dale at BriannasSaladDressing.com
Tue Nov 28 14:37:22 UTC 2017
On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
> On Mon, 27 Nov 2017 14:53:32 -0600
> Dale Schroeder via samba <samba at lists.samba.org> wrote:
>
>> Last week, Debian testing (Buster) added apparmor to the list of
>> dependencies for its latest kernel release, apparently because
>> systemd needs it. Recently, I noticed my first casualty - bind9 -
>> due to apparmor failures with bind_dlz.
>>
>> Knowing next to nothing about apparmor, what is needed to fix this,
>> and what further info do you need from me?
>>
>> Thanks,
>> Dale
> I cannot seem to find a debian kernel that has a dependency on
> apparmor, can you provide a link ?
>
> Even if debian is making the kernel depend on apparmor (by the way,
> does Linus know about this ?), this isn't a Samba problem, it is an
> apparmor one.
>
> Rowland
Rowland,
Thanks for responding.
From
http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
[ Ben Hutchings ]
* linux-image: Recommend apparmor, as systemd units with an AppArmor
profile will fail without it (Closes: #880441)
So, although the word "recommend" implies that one has a choice, in
reality, the kernel upgrade would not proceed without installing apparmor.
I suppose it would be possible to disable, but assuming the systemd
warning is a harbinger of things to come, it seemed best to me to figure
it out now. I know systemd is not your thing, and I am inclined to
agree; however, Debian sees it otherwise, leaving me to deal with it.
I asked here because there is a wiki section devoted to the topic -
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
Thus far, SELinux has not been forced by Debian. Regardless, since the
apparmor install, I have not been able to get Bind9 to start if bind_dlz
is enabled.
Thanks again,
Dale
More information about the samba
mailing list