similar to: Debian Buster, bind_dlz, and apparmor

On 11/28/2017 11:11 AM, Robert Wooden wrote: > Dale, > > Been using Ubuntu server for years in my AD. Discovered a long time > ago that apparmor is not needed for a server. (Someone is probably > going to argue the other that is should be but . . .) > > Do not quote me but, I have read that AppArmor is intended more for a > desktop environment. I have always disabled and

On 11/28/2017 9:02 AM, Rowland Penny wrote: > On Tue, 28 Nov 2017 08:37:22 -0600 > Dale Schroeder via samba <samba at lists.samba.org> wrote: > >> >> On 11/28/2017 2:38 AM, Rowland Penny via samba wrote: >>> On Mon, 27 Nov 2017 14:53:32 -0600 >>> Dale Schroeder via samba <samba at lists.samba.org> wrote: >>> >>>> Last week,

On 11/28/2017 2:38 AM, Rowland Penny via samba wrote: > On Mon, 27 Nov 2017 14:53:32 -0600 > Dale Schroeder via samba <samba at lists.samba.org> wrote: > >> Last week, Debian testing (Buster) added apparmor to the list of >> dependencies for its latest kernel release, apparently because >> systemd needs it.  Recently, I noticed my first casualty - bind9 - >>

On Tue, 28 Nov 2017 11:24:58 -0600 Dale Schroeder <dale at BriannasSaladDressing.com> wrote: > On 11/28/2017 11:11 AM, Robert Wooden wrote: > > Dale, > > > > Been using Ubuntu server for years in my AD. Discovered a long time > > ago that apparmor is not needed for a server. (Someone is probably > > going to argue the other that is should be but . . .)

Dale, Been using Ubuntu server for years in my AD. Discovered a long time ago that apparmor is not needed for a server. (Someone is probably going to argue the other that is should be but . . .) Do not quote me but, I have read that AppArmor is intended more for a desktop environment. I have always disabled and then removed AppArmor and have never had any issues. Of course I am behind a hardware

On Tue, 28 Nov 2017 08:37:22 -0600 Dale Schroeder via samba <samba at lists.samba.org> wrote: > > > On 11/28/2017 2:38 AM, Rowland Penny via samba wrote: > > On Mon, 27 Nov 2017 14:53:32 -0600 > > Dale Schroeder via samba <samba at lists.samba.org> wrote: > > > >> Last week, Debian testing (Buster) added apparmor to the list of > >>

Last week, Debian testing (Buster) added apparmor to the list of dependencies for its latest kernel release, apparently because systemd needs it.  Recently, I noticed my first casualty - bind9 - due to apparmor failures with bind_dlz. Here is the initial journalctl results: Nov 23 10:12:12 debpdc named[16080]: starting BIND 9.10.6-Debian <id:9d1ea0b> -f -u bind Nov 23 10:12:12 debpdc

Samba4 latest git, Ubuntu 11.10, bind9.9.0 Hi I have dynamic updates working but I've had to tweak apparmor: sudo aa-complain /etc/aparmor.d/usr.sbin.named This floods the logs with allow messages. I can remove this by: /etc/init.d/apparmor teardown Not ideal. Can I have bind9, s4 and apparmor at the same time? Thanks, Steve

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In openSUSE 10.3, AppArmor modifies remove_suid to take a struct path rather than just a dentry. This patch tests that the kernel is openSUSE 10.3 or newer and adjusts the call accordingly. Debian/Ubuntu with AppArmor applied will also need a similar patch. Maintainers of btrfs under those distributions should build on this patch or,

I am playing with libvirt 1.1.1 (lxc) when I was starting a LXC container, the process location of cgroup is pretty , just the root directory from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted... I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup fs, e.g the cpus or mem, if i restrict it with "deny

Hi Current wiki suggestion (https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD#Interaction_with_AppArmor_or_SELinux) is to add the following to /etc/apparmor.d/local/usr.sbin.named # Samba4 DLZ and Active Directory Zones (default source installation) /usr/local/samba/lib/** rm, /usr/local/samba/private/dns.keytab r, /usr/local/samba/private/named.conf r,

Hello all, I am using dovecot on Debian stretch, with AppArmor, and I have this audit log: Mar 16 11:25:10 mail kernel: audit: type=1400 audit(1521199510.705:580): apparmor="DENIED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/auth" name="var/cache/nscd/hosts" pid=26797

FYI -------- Original Message -------- Subject: RE: AOL Mail Date: Wed, 25 Jun 2008 13:47:06 -0500 From: Dustin Davis <dustin@txls.com> To: "'Dale Schroeder'" <dale@BriannasSaladDressing.com> References: <419cf800ca3991a24f4b9829f3806aba@briannassaladdressing.com> <145401c8d604$ccfb1780$66f14680$@com>

I found another reason for this error: dns_tkey_negotiategss: TKEY is unacceptable After much head scratching it was due to the Apparmour configuration recommended in the WiKi at: https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration The section for Apparmor which recommends adding lines to /etc/apparmor.d/local/usr.sbin.named, I had to change the line: from:

> From: Rowland penny via samba <samba at lists.samba.org> > To: samba at lists.samba.org > Date: 05/14/2019 02:50 PM > Subject: Re: [Samba] Workstations cannot update DNS > Sent by: "samba" <samba-bounces at lists.samba.org> > > On 14/05/2019 21:36, Durwin via samba wrote: > > I am trying to get DDNS working, so workstations can update their ip.

I am trying to get DDNS working, so workstations can update their ip. The domain is msi.mycompany.com The DC server works, as well as group policies. I set rights to these files > chgrp bind /var/lib/samba/private/ > chmod 750 /var/lib/samba/private/ > chgrp bind /var/lib/samba/private/dns.keytab > chmod 640 /var/lib/samba/private/dns.keytab journalctl shows this. May 14 14:22:32

Hi guys, I want to enable apparmor security driver for my libvirt env with ubuntu os. What I do is as following: First, I got the source code and compile it. ubuntu@ubuntu:~/github$git clone git://libvirt.org/libvirt.git ubuntu@ubuntu:~/github/libvirt$ dpkg -l|grep apparmor ii apparmor 2.8.95~2430-0ubuntu5 amd64 User-space parser utility for AppArmor ii libapparmor-dev:amd64

Hi All, Through interpreting what the current Wiki article says, plus some trial and error: The following AppArmor rules *appear* to work for a Samba AD DC using the stuff from the distro for Ubuntu 14.04 LTS: $ cat /etc/apparmor.d/local/usr.sbin.named # Site-specific additions and overrides for usr.sbin.named. # For more details, please see /etc/apparmor.d/local/README. /dev/urandom w,

Hi everyone, this is my first post at this mailing list. I have a question about upgrading libvirt, but also can fit to Apparmor. For example, I already installed KVM + libvirt from apt-get on Ubuntu 14.04. But the libvirt version is 1.2.9, so I want upgrade to 1.3.4 manually. Search the Internet, only few posts show how to edit so that can launch VM with Apparmor enabled. Most of posts says

Hi Rowland, The samba-tool dns zonelist 127.0.0.1 -U Administrator%xxxxxxxxxx | grep 'pszZoneName', gives Using binding ncacn_ip_tcp:127.0.0.1[,sign] Mapped to DCERPC endpoint 135 added interface eth0 ip=192.168.117.10 bcast=192.168.14.255 netmask=255.255.255.0 added interface eth0 ip=192.168.117.10 bcast=192.168.14.255 netmask=255.255.255.0 Mapped to DCERPC endpoint 1024 added interface