Last week, Debian testing (Buster) added apparmor to the list of dependencies for its latest kernel release, apparently because systemd needs it. Recently, I noticed my first casualty - bind9 - due to apparmor failures with bind_dlz. Here is the initial journalctl results: Nov 23 10:12:12 debpdc named[16080]: starting BIND 9.10.6-Debian <id:9d1ea0b> -f -u bind Nov 23 10:12:12 debpdc named[16080]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Nov 23 10:12:12 debpdc named[16080]: loading configuration from '/etc/bind/named.conf' Nov 23 10:12:12 debpdc named[16080]: reading built-in trusted keys from file '/etc/bind/bind.keys' Nov 23 10:12:12 debpdc audit[16080]: AVC apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080 comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0 Nov 23 10:12:12 debpdc named[16080]: dlz_dlopen failed to open library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map segment from shared object Nov 23 10:12:12 debpdc kernel: audit: type=1400 audit(1511453532.759:44): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080 comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0 Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Failed with result 'exit-code'. After reading the Samba Wiki and adding the entries to apparmor's bind file (converting to Debian's paths), the errors have changed to: Nov 23 11:40:36 debpdc named[20235]: starting BIND 9.10.6-Debian <id:9d1ea0b> -f -u bind Nov 23 11:40:36 debpdc named[20235]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Nov 23 11:40:36 debpdc named[20235]: loading configuration from '/etc/bind/named.conf' Nov 23 11:40:36 debpdc named[20235]: reading built-in trusted keys from file '/etc/bind/bind.keys' Nov 23 11:40:36 debpdc audit[20235]: AVC apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235 comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0 Nov 23 11:40:36 debpdc named[20235]: dlz_dlopen failed to open library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map segment from shared object Nov 23 11:40:36 debpdc kernel: audit: type=1400 audit(1511458836.920:67): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235 comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0 Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Failed with result 'exit-code'. The one entry that I wasn't totally sure that I converted the path correctly is this one: /usr/local/samba/lib/** rm, I used /var/lib/samba/** as the path. Knowing next to nothing about apparmor, what is needed to fix this, and what further info do you need from me? Thanks, Dale
On Mon, 27 Nov 2017 14:53:32 -0600 Dale Schroeder via samba <samba at lists.samba.org> wrote:> Last week, Debian testing (Buster) added apparmor to the list of > dependencies for its latest kernel release, apparently because > systemd needs it. Recently, I noticed my first casualty - bind9 - > due to apparmor failures with bind_dlz. > > Knowing next to nothing about apparmor, what is needed to fix this, > and what further info do you need from me? > > Thanks, > DaleI cannot seem to find a debian kernel that has a dependency on apparmor, can you provide a link ? Even if debian is making the kernel depend on apparmor (by the way, does Linus know about this ?), this isn't a Samba problem, it is an apparmor one. Rowland
On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:> On Mon, 27 Nov 2017 14:53:32 -0600 > Dale Schroeder via samba <samba at lists.samba.org> wrote: > >> Last week, Debian testing (Buster) added apparmor to the list of >> dependencies for its latest kernel release, apparently because >> systemd needs it. Recently, I noticed my first casualty - bind9 - >> due to apparmor failures with bind_dlz. >> >> Knowing next to nothing about apparmor, what is needed to fix this, >> and what further info do you need from me? >> >> Thanks, >> Dale > I cannot seem to find a debian kernel that has a dependency on > apparmor, can you provide a link ? > > Even if debian is making the kernel depend on apparmor (by the way, > does Linus know about this ?), this isn't a Samba problem, it is an > apparmor one. > > RowlandRowland, Thanks for responding. From http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog [ Ben Hutchings ] * linux-image: Recommend apparmor, as systemd units with an AppArmor profile will fail without it (Closes: #880441) So, although the word "recommend" implies that one has a choice, in reality, the kernel upgrade would not proceed without installing apparmor. I suppose it would be possible to disable, but assuming the systemd warning is a harbinger of things to come, it seemed best to me to figure it out now. I know systemd is not your thing, and I am inclined to agree; however, Debian sees it otherwise, leaving me to deal with it. I asked here because there is a wiki section devoted to the topic - https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration Thus far, SELinux has not been forced by Debian. Regardless, since the apparmor install, I have not been able to get Bind9 to start if bind_dlz is enabled. Thanks again, Dale