Bernhard Schmidt <be...@debian.org> writes: >Any more warnings you experienced?
I'm glad you asked. Since my last message, I have been getting the following three logs every two or three days: Apr 11 00:49:41 dc1 kernel: [489173.713080] audit: type=1400 audit(1554968981.353:17): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/named" name="/var/tmp/krb5_RCjltFy7" pid=426 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=108 ouid=108 Apr 11 00:49:41 dc1 kernel: [489173.713685] audit: type=1400 audit(1554968981.357:18): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/var/tmp/krb5_RCjltFy7" pid=426 comm="isc-worker0000" requested_mask="wrc" denied_mask="wrc" fsuid=108 ouid=108 Apr 11 00:49:41 dc1 kernel: [489173.835799] audit: type=1400 audit(1554968981.477:19): apparmor="ALLOWED" operation="rename_src" profile="/usr/sbin/named" name="/var/tmp/krb5_RCjltFy7" pid=426 comm="isc-worker0000" requested_mask="wrd" denied_mask="wrd" fsuid=108 ouid=108 Always between 12:00am and 01:00am, and always those same three operations (mknod, open, and rename_src) on a randomly-named (with 'krb5' prefix) tempfile. I'm not sure what it represents, but it could be some kind of periodic house-keeping by the daemon. I'm not 100% certain that these logs are connected with the Samba BIND9_DLZ, but it seems likely, since the 'krb5' prefix hints a Kerberos connection. >> I am unsure how to provide appropriate access to >> '/dev/urandom', as I don't understand what the denied_mask="wc" means. >> Maybe simple "read" (r) access would cover it, like this (?): >> >> /dev/urandom r, > >I'm unsure about that either. Ccing the Apparmor maintainer, I'm not >sure whether anything additional is needed for access to /dev/urandom. > I think something will need to be added to the 'usr.sbin.named' profile, because I added '/dev/urandom r' to my '/etc/apparmor.d/local/usr.sbin.named', but I still occasionally get entries in my log that look like this: Apr 5 09:49:40 dc1 kernel: [ 3176.419143] audit: type=1400 audit(1554482980.697:10): apparmor="ALLOWED" operation="open" profile="/usr/sbin/named" name="/dev/urandom" pid=426 comm="isc-worker0000" requested_mask="wc" denied_mask="wc" fsuid=108 ouid=0 -S.M.
