[pkg-apparmor] Bug#1020315: bind9: Spams /var/log/syslog with appramor DENIED /sys/kernel/mm/transparent_hugepage/enabled

Stefan Björnelund (Debian bugreport) stefanb+debianbug1 at bjornelund.se
Mon Sep 19 21:25:23 BST 2022 

Package: bind9
Version: 1:9.18.6-2
Severity: normal
Tags: patch
X-Debbugs-Cc: pkg-apparmor-team at lists.alioth.debian.org

With apparmor enabled for named, the /var/log/syslog file ends up with 
allot of unnecessary DENIED messages,
as the as read access to/sys/kernel/mm/transparent_hugepage/enabled 
seems to have accidentally excluded by the hardening.
Restoring the read access seems to resolve the issue, see attached patch.


Examples:
/var/log/syslog:Sep 18 00:45:12 pippi kernel: [568935.135647] audit: 
type=1400 audit(1663454712.445:191): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=234038 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 01:54:18 pippi kernel: [573081.399636] audit: 
type=1400 audit(1663458858.813:192): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=235380 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 03:26:40 pippi kernel: [578622.720520] audit: 
type=1400 audit(1663464400.273:193): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=236920 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 04:42:21 pippi kernel: [583163.451230] audit: 
type=1400 audit(1663468941.119:194): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=237915 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 05:50:00 pippi kernel: [587222.657447] audit: 
type=1400 audit(1663473000.425:195): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=239109 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 07:15:15 pippi kernel: [592337.151577] audit: 
type=1400 audit(1663478115.049:196): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=243061 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 08:42:55 pippi kernel: [597597.185578] audit: 
type=1400 audit(1663483375.213:197): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=247004 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 09:52:30 pippi kernel: [601772.451830] audit: 
type=1400 audit(1663487550.586:198): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=248343 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 11:12:27 pippi kernel: [606569.547243] audit: 
type=1400 audit(1663492347.802:199): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=252396 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 12:25:25 pippi kernel: [610946.891663] audit: 
type=1400 audit(1663496725.256:200): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=254642 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 13:50:03 pippi kernel: [616024.685028] audit: 
type=1400 audit(1663501803.180:201): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=257604 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 15:05:34 pippi kernel: [620555.410211] audit: 
type=1400 audit(1663506334.014:202): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=260179 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 16:37:47 pippi kernel: [626088.694992] audit: 
type=1400 audit(1663511867.436:203): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=262246 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 18:00:21 pippi kernel: [631042.827598] audit: 
type=1400 audit(1663516821.692:204): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=264295 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 19:15:41 pippi kernel: [635562.798692] audit: 
type=1400 audit(1663521341.781:205): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=267350 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 20:43:37 pippi kernel: [640838.555665] audit: 
type=1400 audit(1663526617.670:206): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=268844 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 21:53:28 pippi kernel: [645029.178793] audit: 
type=1400 audit(1663530808.399:207): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=270477 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 23:03:19 pippi kernel: [649220.506898] audit: 
type=1400 audit(1663534999.831:208): apparmor="DENIED" operation="open" 
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=272038 comm="named" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0



-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (800, 'testing'), (300, 'unstable')
merged-usr: no
Architecture: amd64 (x86_64)

Kernel: Linux 5.19.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND, 
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bind9 depends on:
ii adduser 3.128
ii bind9-libs 1:9.18.6-2
ii bind9-utils 1:9.18.6-2
ii cdebconf [debconf-2.0] 0.264
ii debconf [debconf-2.0] 1.5.79
ii dns-root-data 2021011101
ii init-system-helpers 1.64
ii iproute2 5.19.0-1
ii libc6 2.34-7
ii libcap2 1:2.44-1
ii libfstrm0 0.6.1-1
ii libjson-c5 0.16-1
ii liblmdb0 0.9.24-1
ii libmaxminddb0 1.5.2-1
ii libnghttp2-14 1.49.0-1
ii libprotobuf-c1 1.4.1-1
ii libssl3 3.0.5-2
ii libuv1 1.44.2-1
ii libxml2 2.9.14+dfsg-1+b1
ii lsb-base 11.2
ii netbase 6.3
ii zlib1g 1:1.2.11.dfsg-4.1

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn bind-doc <none>
ii bind9-dnsutils [dnsutils] 1:9.18.6-2
ii dnsutils 1:9.18.6-2
pn resolvconf <none>
ii ufw 0.36.1-4

-- Configuration Files:
/etc/apparmor.d/usr.sbin.named changed [not included]
/etc/bind/named.conf changed [not included]
/etc/bind/named.conf.local changed [not included]
/etc/bind/named.conf.options changed [not included]

-- debconf information:
bind9/run-resolvconf: false
bind9/different-configuration-file:
bind9/start-as-user: bind

-- 
/Stefan B. (bugreporter)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20220919/5835a817/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: etc_apparmor.d_usr.sbin.named.patch
Type: text/x-patch
Size: 410 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20220919/5835a817/attachment.bin>

More information about the pkg-apparmor-team mailing list