Hi, I ran into some trouble last night when setting up samba (4.1.5) with bind 9.9 as the backend. I followed the instructions on the wiki but found that the apparmor settings that are suggested don't actually work (at least for me running Ubuntu 13.10). Just putting it here for others that may experience the same issue and to check that I haven't done something silly. If what I've done is correct then it might be worthwhile updating the wiki (or I will if it's publically updatable). Current wiki suggestion is to add the following to /etc/apparmor.d/local/usr.sbin.named /usr/local/samba/lib/** rm, /usr/local/samba/private/dns.keytab r, /usr/local/samba/private/named.conf r, /usr/local/samba/private/dns/** rwk, I found I needed to add the following /usr/local/samba/lib/** rm, /usr/local/samba/private/dns.keytab rk, /usr/local/samba/private/named.conf r, /usr/local/samba/private/dns/** rwk, /usr/local/samba/etc/smb.conf r, /var/tmp/** rw, /var/tmp/ rw, FYI /var/tmp is where the .jnl is being written, presumably it's bind that's deciding to put it here and not samba. I've also seen another apparmor related error message pop up today when adding a machine to the domain. Mar 10 14:03:44 server kernel: [ 6809.180969] type=1400 audit(1394420624.565:26): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/named" name="/dev/urandom" pid=1491 comm="named" requested_mask="wc" denied_mask="wc" fsuid=107 ouid=0 The PC was actually added to DNS so I'm not sure what the ramifications of this error would be. Cheers, Justin.
Hello, Am 10.03.2014 11:17, schrieb Justin Clacherty:> Current wiki suggestion is to add the following to /etc/apparmor.d/local/usr.sbin.named > > /usr/local/samba/lib/** rm, > /usr/local/samba/private/dns.keytab r, > /usr/local/samba/private/named.conf r, > /usr/local/samba/private/dns/** rwk, > > I found I needed to add the following > > /usr/local/samba/lib/** rm, > /usr/local/samba/private/dns.keytab rk, > /usr/local/samba/private/named.conf r, > /usr/local/samba/private/dns/** rwk, > /usr/local/samba/etc/smb.conf r, > /var/tmp/** rw, > /var/tmp/ rw,If someone with Apparmor and knowledge about it, can validate this please, I'll update the Wiki shortly. I never used it, so I kept this part, when I revised this HowTo last year. :-) Regards, Marc
Apparently Analagous Threads
- Workstations cannot update DNS
- Workstations cannot update DNS
- Workstations cannot update DNS
- [Bug 103689] New: there is an exploitable page fault that can be reliably triggered from the chromium sandbox can possibly lead to remote attackers causing a denial of service condition or possibly running system code.
- apparmor profile for samba4+bind9.9: writes to /var/tmp?