Brian Candler
2014-Jun-17 14:16 UTC
[Samba] apparmor profile for samba4+bind9.9: writes to /var/tmp?
From Ubuntu 14.04, I have installed Samba 4.1.6 and bind 9.9.5 and have them working together as per https://wiki.samba.org/index.php/DNS_Backend_BIND To make it work I had to add the following overrides to /etc/apparmor.d/local/usr.sbin.named: # Samba4 DLZ and Active Directory Zones /usr/lib/x86_64-linux-gnu/samba/** rm, /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm, /var/lib/samba/private/dns.keytab rk, /var/lib/samba/private/named.conf r, /var/lib/samba/private/dns/** rwk, However, dynamic DNS updates from samba_dnsupdate are still causing apparmor to trip up because bind is trying to create a file in /var/tmp: Jun 17 14:59:06 trusty kernel: [ 9163.550869] type=1400 audit(1403013546.668:222): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/var/tmp/DNS_107" pid=9281 comm="named" requested_mask="c" denied_mask="c" fsuid=107 ouid=107 I can fix this with: /var/tmp/DNS_* rw, but this just seems wrong to me; it would be better to tell bind to use a proper directory like /var/cache/bind. Anyone have any idea why bind is writing to /var/tmp? I can see nothing in my configuration which points to this directory. Could it be the dlz_bind9_9.so module which is doing this, or something else? The file /var/tmp/DNS_107 is left around afterwards, and appears to have the contents of the DNS update in it. # hexdump -C /var/tmp/DNS_107 00000000 05 01 2c 01 00 00 01 00 00 00 00 78 00 00 00 48 |..,........x...H| 00000010 41 53 48 3a 43 34 45 34 44 46 33 34 45 30 31 35 |ASH:C4E4DF34E015| 00000020 33 33 33 45 35 39 32 31 45 38 42 44 44 31 37 45 |333E5921E8BDD17E| 00000030 41 43 35 37 20 32 36 3a 54 52 55 53 54 59 24 40 |AC57 26:TRUSTY$@| 00000040 52 45 41 4c 4d 58 2e 57 53 2e 4e 53 52 43 2e 4f |REALMX.WS.NSRC.O| 00000050 52 47 20 34 38 3a 44 4e 53 2f 74 72 75 73 74 79 |RG 48:DNS/trusty| 00000060 2e 72 65 61 6c 6d 78 2e 77 73 2e 6e 73 72 63 2e |.realmx.ws.nsrc.| 00000070 6f 72 67 40 52 45 41 4c 4d 58 2e 57 53 2e 4e 53 |org at REALMX.WS.NS| 00000080 52 43 2e 4f 52 47 00 ed 74 0e 00 e4 4b a0 53 1b |RC.ORG..t...K.S.| ... etc Thanks, Brian.
Seemingly Similar Threads
- syslinux-3.36 and 3.35 compilation broke /dev/null
- 2 Problems with attaching/detaching disks with virsh and KVM
- samba4+bind9.9 will not start: samba_dlz: dns_rdata_fromtext: buffer-0x7f1c0cbcd680:1: near 'hostmaster.domain.de': not a valid number
- Samba 4.2.14 Group Policy (GPO) sync error
- Samba 4.2.14 Group Policy (GPO) sync error
Wisdom of the Ancients
