First Last Prev Next    This bug is not in your last search results.
Bug 51786 - bind9 with samba4 and cups do not start due to missing files in apparmor profile
bind9 with samba4 and cups do not start due to missing files in apparmor profile
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: DNS
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0
Assigned To: Jürn Brodersen
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-07 01:24 CEST by Jürn Brodersen
Modified: 2021-05-25 15:58 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jürn Brodersen univentionstaff 2020-08-07 01:24:56 CEST 
bind9 does not start with samba4 backend due to missing files in apparmor profile

Debian Buster activates apparmor by default. The supplied profile for the named daemon is missing some files for the samba4 backend.

Question: Do we want to fix this or deactivate the profile completely?
Comment 1 Jürn Brodersen univentionstaff 2020-08-07 09:46:39 CEST 
r19123: Bug #51786: fix apparmor profile for named
Comment 2 Jürn Brodersen univentionstaff 2020-08-07 09:52:45 CEST 
There seem to be still some rules missing:
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named" name="/tmp/krb5cc_0"
apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/tmp-3fMzuWmKOS" pid=889 comm="isc-worker0002" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

See /var/log/kern.log
Comment 3 Jürn Brodersen univentionstaff 2020-10-15 10:16:13 CEST 
cups has similar problems:


audit: type=1400 audit(1602664425.791:14): apparmor="DENIED" operation="mknod" profile="/usr/sbin/cupsd" name="/etc/printcap.cups" pid=15823 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

audit: type=1400 audit(1602664473.703:15): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/libnss-ldap.conf" pid=15823 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=104

audit: type=1400 audit(1602664473.703:16): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/dev/urandom" pid=15823 comm="cupsd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Comment 4 Jürn Brodersen univentionstaff 2020-10-15 10:20:00 CEST 
I disabled apparmor for now:
[5.0-0 26f63ea3a7] Bug #51786: Disable apparmor
[5.0-0 73e27860d5] Bug #51786: Disable apparmor (changelog)


TBD:
Do we want to let it stay disabled?
Do we want an ucr option to re-enable it?
Comment 5 Jürn Brodersen univentionstaff 2021-02-19 15:22:45 CET 
As discussed, we let apparmor deactivated for now.
Comment 6 Arvid Requate univentionstaff 2021-03-02 15:24:22 CET 
ec6326187c | UCS-5 Changelog entry
Comment 7 Florian Best univentionstaff 2021-05-25 15:58:36 CEST 
UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.