Package: bind9
Version: 1:9.11.5.P4+dfsg-4
Severity: normal
Dear Maintainer,
I have been testing samba4 and bind9 as an active directory (AD)
controller, specifically using the "BIND9_DLZ" DNS backend.
I am currently running apparmor (as is the default for buster), and I
have
placed the 'usr.sbin.named' profile into "complain" mode. The following
three apparmor "complaint" logs have appeared in my AD controller's
syslog:
May 1 13:32:56 dc1 kernel: [17727.789937] audit: type=1400
audit(1556742776.381:10): apparmor="ALLOWED" operation="mknod"
profile="/usr/sbin/named" name="/var/tmp/krb5_RCvYddKZ" pid=2310
comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=108
ouid=108
May 1 13:32:56 dc1 kernel: [17727.790103] audit: type=1400
audit(1556742776.381:11): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/named" name="/var/tmp/krb5_RCvYddKZ" pid=2310
comm="isc-worker0000" requested_mask="wrc" denied_mask="wrc" fsuid=108
ouid=108
May 1 13:32:56 dc1 kernel: [17727.978730] audit: type=1400
audit(1556742776.569:12): apparmor="ALLOWED" operation="rename_src"
profile="/usr/sbin/named" name="/var/tmp/krb5_RCvYddKZ" pid=2310
comm="isc-worker0000" requested_mask="wrd" denied_mask="wrd" fsuid=108
ouid=108
I am not 100% certain, but I believe the logs were generated during the
process of promoting another AD controller to the domain. If the
apparmor
profile was running in "enforce" mode, it is quite likely that the
bind9/named
daemon would have crashed. This would not be acceptable in a production
environment.
Looking at the logs, it appears to me that the 'usr.sbin.named' apparmor
profile is incomplete, at least with regards to the use-case of
providing
the BIND9_DLZ DNS backend for Samba.
The following patch (untested) to /etc/apparmor.d/usr.sbin.named
may suffice to cover the logs quoted above:
=== BEGIN PATCH ===
--- a/usr.sbin.named 2019-04-26 01:33:13.000000000 -0700
+++ b/usr.sbin.named 2019-05-02 09:14:42.199214079 -0700
@@ -87,6 +87,7 @@
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
+ /var/tmp/krb5_* rwk,
# Site-specific additions and overrides. See local/README for
details.
#include <local/usr.sbin.named>
=== END PATCH ===
Thanks,
-S.M.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (300, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bind9 depends on:
ii adduser 3.118
ii bind9utils 1:9.11.5.P4+dfsg-4
ii debconf [debconf-2.0] 1.5.71
ii dns-root-data 2019031302
ii libbind9-161 1:9.11.5.P4+dfsg-4
ii libc6 2.28-8
ii libcap2 1:2.25-2
ii libcom-err2 1.44.5-1
ii libdns1104 1:9.11.5.P4+dfsg-4
ii libfstrm0 0.4.0-1
ii libgeoip1 1.6.12-1
ii libgssapi-krb5-2 1.17-2
ii libisc1100 1:9.11.5.P4+dfsg-4
ii libisccc161 1:9.11.5.P4+dfsg-4
ii libisccfg163 1:9.11.5.P4+dfsg-4
ii libjson-c3 0.12.1+ds-2
ii libk5crypto3 1.17-2
ii libkrb5-3 1.17-2
ii liblmdb0 0.9.22-1
ii liblwres161 1:9.11.5.P4+dfsg-4
ii libprotobuf-c1 1.3.1-1+b1
ii libssl1.1 1.1.1b-2
ii libxml2 2.9.4+dfsg1-7+b3
ii lsb-base 10.2019031300
ii net-tools 1.60+git20180626.aebd88e-1
ii netbase 5.6
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind9-doc <none>
ii dnsutils 1:9.11.5.P4+dfsg-4
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/apparmor.d/usr.sbin.named changed:
/usr/sbin/named flags=(attach_disconnected, complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin
of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# Database file used by allow-new-zones
/var/cache/bind/_default.nzd-lock rwk,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
# ssl
/etc/ssl/openssl.cnf r,
# root hints from dns-data-root
/usr/share/dns/root.* r,
# GeoIP data files for GeoIP ACLs
/usr/share/GeoIP/** r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
# Allow changing worker thread names
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{PROC}/sys/net/ipv4/ip_local_port_range r,
/usr/sbin/named mr,
/{,var/}run/named/named.pid w,
/{,var/}run/named/session.key w,
# support for resolvconf
/{,var/}run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,
/var/lib/sss/pubconf/krb5.include.d/ r,
/var/lib/sss/mc/initgroups r,
/etc/gss/mech.d/ r,
# ldap
/etc/ldap/ldap.conf r,
/{,var/}run/slapd-*.socket rw,
# dynamic updates
/var/tmp/DNS_* rw,
# dyndb backends
/usr/lib/bind/*.so rm,
# Samba DLZ
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
}
/etc/bind/named.conf changed:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on
the
// structure of BIND configuration files in Debian, *BEFORE* you
customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
/etc/bind/named.conf.options changed:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
10.1.30.22; 10.1.30.26;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
allow-transfer { "none"; };
};
-- debconf information:
bind9/different-configuration-file:
bind9/start-as-user: bind
bind9/run-resolvconf: false
