Univention Bugzilla – Bug 51786
bind9 with samba4 and cups do not start due to missing files in apparmor profile
Last modified: 2021-05-25 15:58:36 CEST
bind9 does not start with samba4 backend due to missing files in apparmor profile Debian Buster activates apparmor by default. The supplied profile for the named daemon is missing some files for the samba4 backend. Question: Do we want to fix this or deactivate the profile completely?
r19123: Bug #51786: fix apparmor profile for named
There seem to be still some rules missing: apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named" name="/tmp/krb5cc_0" apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/tmp-3fMzuWmKOS" pid=889 comm="isc-worker0002" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 See /var/log/kern.log
cups has similar problems: audit: type=1400 audit(1602664425.791:14): apparmor="DENIED" operation="mknod" profile="/usr/sbin/cupsd" name="/etc/printcap.cups" pid=15823 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 audit: type=1400 audit(1602664473.703:15): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/libnss-ldap.conf" pid=15823 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=104 audit: type=1400 audit(1602664473.703:16): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/dev/urandom" pid=15823 comm="cupsd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
I disabled apparmor for now: [5.0-0 26f63ea3a7] Bug #51786: Disable apparmor [5.0-0 73e27860d5] Bug #51786: Disable apparmor (changelog) TBD: Do we want to let it stay disabled? Do we want an ucr option to re-enable it?
As discussed, we let apparmor deactivated for now.
ec6326187c | UCS-5 Changelog entry
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".