Package: bind9
Version: 1:9.11.2+dfsg-1
Severity: minor
Tags: patch
Dear Maintainer,
The bind apparmor policy is blocking the ability of bind to change its
worker thread names.
type=AVC msg=audit(1512011335.533:12422): apparmor="DENIED"
operation="open" profile="/usr/sbin/named"
name="/proc/31264/task/31268/comm" pid=31264 comm="named"
requested_mask="wr" denied_mask="wr" fsuid=108 ouid=108
Adding this line to the policy allowed bind to change it thread names:
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages bind9 depends on:
ii adduser 3.116
ii bind9utils 1:9.11.2+dfsg-1
ii debconf [debconf-2.0] 1.5.65
ii libbind9-160 1:9.11.2+dfsg-1
ii libc6 2.25-2
ii libcap2 1:2.25-1.2
ii libcomerr2 1.43.7-1
ii libdns169 1:9.11.2+dfsg-1
ii libgeoip1 1.6.11-3
ii libgssapi-krb5-2 1.15.2-2
ii libirs160 1:9.11.2+dfsg-1
ii libisc166 1:9.11.2+dfsg-1
ii libisccc160 1:9.11.2+dfsg-1
ii libisccfg160 1:9.11.2+dfsg-1
ii libjson-c3 0.12.1-1.2
ii libk5crypto3 1.15.2-2
ii libkrb5-3 1.15.2-2
ii liblwres160 1:9.11.2+dfsg-1
ii libssl1.1 1.1.0g-2
ii libxml2 2.9.4+dfsg1-5.1
ii lsb-base 9.20170808
ii net-tools 1.60+git20161116.90da8a0-1
ii netbase 5.4
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind9-doc <none>
ii dnsutils 1:9.11.2+dfsg-1
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/bind/named.conf changed [not included]
/etc/bind/named.conf.local changed [not included]
/etc/bind/named.conf.options changed [not included]
/etc/bind/zones.rfc1918 changed [not included]
-- debconf information:
* bind9/run-resolvconf: false
* bind9/different-configuration-file:
* bind9/start-as-user: bind
