<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Package: bind9<br>
    Version: 1:9.18.6-2<br>
    Severity: normal<br>
    Tags: patch<br>
    X-Debbugs-Cc: <a class="moz-txt-link-abbreviated" href="mailto:pkg-apparmor-team@lists.alioth.debian.org">pkg-apparmor-team@lists.alioth.debian.org</a><br>
    <br>
    <p>With <span style="font-family:monospace">apparmor</span> enabled
      for named, the <span style="font-family:monospace"><span
          style="color:#000000;background-color:#ffffff;">/</span></span><span
        style="font-family:monospace"><span
          style="color:#000000;background-color:#ffffff;"><span
            style="font-family:monospace"><span
              style="color:#000000;background-color:#ffffff;">var/log/syslog</span></span>
        </span></span>file ends up with allot of unnecessary DENIED
      messages, <span style="font-family:monospace"><span
          style="color:#000000;background-color:#ffffff;"><br>
        </span></span>as the as read access to<span
        style="font-family:monospace"><span
          style="color:#000000;background-color:#ffffff;"><span
            style="font-family:monospace"> /sys/kernel/mm/transparent_hugepage/enabled
          </span></span></span>seems to have accidentally excluded by
      the hardening.<span style="font-family:monospace"><span
          style="color:#000000;background-color:#ffffff;"><span
            style="font-family:monospace"><br>
          </span></span></span>Restoring the read access seems to
      resolve the issue, see attached patch.<span
        style="font-family:monospace"><span
          style="color:#000000;background-color:#ffffff;"><span
            style="font-family:monospace"><br>
          </span></span></span></p>
    <p><span style="font-family:monospace"><br>
        Examples:<br>
      </span><span style="font-family:monospace">/var/log/syslog:Sep 18
        00:45:12 pippi kernel: [568935.135647] audit: type=1400
        audit(1663454712.445:191): apparmor="DENIED" operation="open"
        profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=234038 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 01:54:18 pippi kernel: [573081.399636]
        audit: type=1400 audit(1663458858.813:192): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=235380 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 03:26:40 pippi kernel: [578622.720520]
        audit: type=1400 audit(1663464400.273:193): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=236920 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 04:42:21 pippi kernel: [583163.451230]
        audit: type=1400 audit(1663468941.119:194): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=237915 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 05:50:00 pippi kernel: [587222.657447]
        audit: type=1400 audit(1663473000.425:195): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=239109 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 07:15:15 pippi kernel: [592337.151577]
        audit: type=1400 audit(1663478115.049:196): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=243061 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 08:42:55 pippi kernel: [597597.185578]
        audit: type=1400 audit(1663483375.213:197): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=247004 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 09:52:30 pippi kernel: [601772.451830]
        audit: type=1400 audit(1663487550.586:198): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=248343 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 11:12:27 pippi kernel: [606569.547243]
        audit: type=1400 audit(1663492347.802:199): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=252396 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 12:25:25 pippi kernel: [610946.891663]
        audit: type=1400 audit(1663496725.256:200): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=254642 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 13:50:03 pippi kernel: [616024.685028]
        audit: type=1400 audit(1663501803.180:201): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=257604 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 15:05:34 pippi kernel: [620555.410211]
        audit: type=1400 audit(1663506334.014:202): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=260179 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 16:37:47 pippi kernel: [626088.694992]
        audit: type=1400 audit(1663511867.436:203): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=262246 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 18:00:21 pippi kernel: [631042.827598]
        audit: type=1400 audit(1663516821.692:204): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=264295 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 19:15:41 pippi kernel: [635562.798692]
        audit: type=1400 audit(1663521341.781:205): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=267350 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 20:43:37 pippi kernel: [640838.555665]
        audit: type=1400 audit(1663526617.670:206): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=268844 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 21:53:28 pippi kernel: [645029.178793]
        audit: type=1400 audit(1663530808.399:207): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=270477 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        <br>
        /var/log/syslog:Sep 18 23:03:19 pippi kernel: [649220.506898]
        audit: type=1400 audit(1663534999.831:208): apparmor="DENIED"
        operation="open" profile="named" name="/sys/kernel<br>
        /mm/transparent_hugepage/enabled" pid=272038 comm="named"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0<br>
        <br>
        <br>
      </span><span style="font-family:monospace"></span></p>
    <br>
    -- System Information:<br>
    Debian Release: bookworm/sid<br>
    APT prefers testing<br>
    APT policy: (800, 'testing'), (300, 'unstable')<br>
    merged-usr: no<br>
    Architecture: amd64 (x86_64)<br>
    <br>
    Kernel: Linux 5.19.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)<br>
    Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND,
    TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE<br>
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
    LANGUAGE=en_US:en<br>
    Shell: /bin/sh linked to /bin/dash<br>
    Init: systemd (via /run/systemd/system)<br>
    LSM: AppArmor: enabled<br>
    <br>
    Versions of packages bind9 depends on:<br>
    ii adduser 3.128<br>
    ii bind9-libs 1:9.18.6-2<br>
    ii bind9-utils 1:9.18.6-2<br>
    ii cdebconf [debconf-2.0] 0.264<br>
    ii debconf [debconf-2.0] 1.5.79<br>
    ii dns-root-data 2021011101<br>
    ii init-system-helpers 1.64<br>
    ii iproute2 5.19.0-1<br>
    ii libc6 2.34-7<br>
    ii libcap2 1:2.44-1<br>
    ii libfstrm0 0.6.1-1<br>
    ii libjson-c5 0.16-1<br>
    ii liblmdb0 0.9.24-1<br>
    ii libmaxminddb0 1.5.2-1<br>
    ii libnghttp2-14 1.49.0-1<br>
    ii libprotobuf-c1 1.4.1-1<br>
    ii libssl3 3.0.5-2<br>
    ii libuv1 1.44.2-1<br>
    ii libxml2 2.9.14+dfsg-1+b1<br>
    ii lsb-base 11.2<br>
    ii netbase 6.3<br>
    ii zlib1g 1:1.2.11.dfsg-4.1<br>
    <br>
    bind9 recommends no packages.<br>
    <br>
    Versions of packages bind9 suggests:<br>
    pn bind-doc <none><br>
    ii bind9-dnsutils [dnsutils] 1:9.18.6-2<br>
    ii dnsutils 1:9.18.6-2<br>
    pn resolvconf <none><br>
    ii ufw 0.36.1-4<br>
    <br>
    -- Configuration Files:<br>
    /etc/apparmor.d/usr.sbin.named changed [not included]<br>
    /etc/bind/named.conf changed [not included]<br>
    /etc/bind/named.conf.local changed [not included]<br>
    /etc/bind/named.conf.options changed [not included]<br>
    <br>
    -- debconf information:<br>
    bind9/run-resolvconf: false<br>
    bind9/different-configuration-file:<br>
    bind9/start-as-user: bind<br>
    <pre class="moz-signature" cols="72">-- 
/Stefan B. (bugreporter)</pre>
  </body>
</html>