[pkg-apparmor] Bug#920530: apparmor: Apparmour breaks bind/named DLZ with samba

Sat Jan 26 16:57:38 GMT 2019

Package: apparmor
Version: 2.11.0-3+deb9u2
Severity: normal

Dear Maintainer,

A piece of replacement kit went in requiring a newer kernel from backports, 
which brought in apparmour as a recommend. However in its currently shipping 
form this broke the bind DLZ that's used with samba (to host DNS for active 
directory). For those unfamiliar, DLZ = Dynamically Loadable Zone and the way it 
works is samba populates a zone file which bind is then pointed at to load.

Once this was spotted we didn't have a great deal of time to fix it and I 
eventually just placed apparmour in complain mode for named to bypass the issue;
     aa-complain /usr/sbin/named

I did try modifying some of the config in order to get bind/samba to work, but 
it was my first time trying to futz apparmour and I ultimately didn't get it 
working. I've since discovered samba have official info on apparmour here 
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration - 
following on from that and what I've seen in kern.log I believe the debian 
configuration in /etc/apparmor.d/usr.sbin.named should contain something like:

     /usr/lib/x86_64-linux-gnu/samba/** rm,
     /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
     /var/lib/samba/private/dns.keytab r,
     /var/lib/samba/private/named.conf r,
     /var/lib/samba/private/dns/** rwk,
     /etc/smb.conf r,

...but obviously I'd like someone who knows what they're doing to have a look 
first as it's possible those permissions are too loose (like I say, I'm still 
a-learnin'). If and when I get an opportunity to test this I'll report back as 
to whether it works.

-- System Information:
Debian Release: 9.7
   APT prefers stable
   APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  libapparmor-perl       2.11.0-3+deb9u2
ii  libc6                  2.24-11+deb9u3
ii  lsb-base               9.20161125
ii  python3                3.5.3-1

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles        <none>
pn  apparmor-profiles-extra  <none>
ii  apparmor-utils           2.11.0-3+deb9u2

-- debconf information:
   apparmor/homedirs: