Bug#931505: bind9: Problem with apparmor profile, so Bind9 refused to start

[JP P]

Package: bind9
Version: 1:9.11.5.P4+dfsg-5.1
Severity: normal

Dear Maintainer,

I upgraded one system to Buster and Bind9 refused to start blocked by
apparmor :
audit: type=1400 audit(1562447210.397:15): apparmor="DENIED"
operation="open" profile="/usr/sbin/named"
name="/home/jpprr/DEVSUBV/dns_slave/named.conf" pid=4481
comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=120
ouid=120
All files are in a user's directory to be managed through a versionnning
system.
I will correct the profile to authorize the directory for reading.

Regards

JP P

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=C 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bind9 depends on:
ii  adduser                3.118
ii  bind9utils             1:9.11.5.P4+dfsg-5.1
ii  debconf [debconf-2.0]  1.5.71
ii  dns-root-data          2019031302
ii  libbind9-161           1:9.11.5.P4+dfsg-5.1
ii  libc6                  2.28-10
ii  libcap2                1:2.25-2
ii  libcom-err2            1.44.5-1
ii  libdns1104             1:9.11.5.P4+dfsg-5.1
ii  libfstrm0              0.4.0-1
ii  libgeoip1              1.6.12-1
ii  libgssapi-krb5-2       1.17-3
ii  libisc1100             1:9.11.5.P4+dfsg-5.1
ii  libisccc161            1:9.11.5.P4+dfsg-5.1
ii  libisccfg163           1:9.11.5.P4+dfsg-5.1
ii  libjson-c3             0.12.1+ds-2
ii  libk5crypto3           1.17-3
ii  libkrb5-3              1.17-3
ii  liblmdb0               0.9.22-1
ii  liblwres161            1:9.11.5.P4+dfsg-5.1
ii  libprotobuf-c1         1.3.1-1+b1
ii  libssl1.1              1.1.1c-1
ii  libxml2                2.9.4+dfsg1-7+b3
ii  lsb-base               10.2019051400
ii  net-tools              1.60+git20180626.aebd88e-1
ii  netbase                5.6

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.11.5.P4+dfsg-5.1
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/db.127 changed:
;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
1.0.0   IN      PTR     localhost.
localhost IN    CNAME   k400l.

/etc/bind/named.conf changed:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README.Debian for information on the 
// structure of BIND configuration files in Debian for BIND versions 8.2.1 
// and later, *BEFORE* you customize this configuration file.
//
key DHCP_UPDATER {
        algorithm HMAC-MD5.SIG-ALG.REG.INT;
                secret "EHILtJCarFnCtpxuzxnmwQ==";
                };
key DHCP_UPDATEB {
        algorithm HMAC-MD5.SIG-ALG.REG.INT;
                secret "EHILtJCarFnCtpxuzxnmwQ==";
                };
include "/etc/bind/named.conf.local";
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};
// add entries for other zones below here
zone "jpp.fr" {
        file "/etc/bind/db.jpp.fr";
        include "/etc/bind/named.master";
};
zone "2.168.192.in-addr.arpa" {
        file "/etc/bind/db.192.168.2";
        include "/etc/bind/named.master";
};
zone "jpp1.fr" {
        file "/etc/bind/db.jpp1.fr";
        include "/etc/bind/named.master";
};
zone "1.168.192.in-addr.arpa" {
        file "/etc/bind/db.192.168.1";
        include "/etc/bind/named.master";
};
zone "jpp2.fr" {
        file "/etc/bind/db.jpp2.fr";
        include "/etc/bind/named.master";
 };
zone "3.168.192.in-addr.arpa" {
        file "/etc/bind/db.192.168.3";
        include "/etc/bind/named.master";
};
zone "jpp6.fr" {
        file "/etc/bind/db.jpp6.fr";
        include "/etc/bind/named.master";
};
zone "2.0.0.0.0.0.c.f.ip6.arpa" {
        file "/etc/bind/db.jpp6.fr.rev";
        include "/etc/bind/named.master";
};
zone "jppozzi.dyndns.org" {
        file "/etc/bind/db.jppozzi.dyndns.org";
        include "/etc/bind/named.master";
};

/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
key "rndc-key" {
        algorithm hmac-md5;
        secret "x8YPx4fVPlCrY591vRQAL5ebd3cOHNXdoe2FtrlIM/Q0GuwnI1AT9+wp 
RzAz5NZFNRNqMeT9I2GSaDCobA9/JA==";
};
controls { inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/etc/bind/zones.rfc1918.local";
acl "ok_query"  { 192.168.0.0/24; 192.168.1.0/24; 192.168.2.0/24; 
192.168.3.0/24; 192.168.10.0/24; 127.0.0.1; fc00:2::/64; fc00:3::/64; };
acl "ok_transfert" { 127.0.0.1; 192.168.2.8; 192.168.2.10; 192.168.2.2; 
192.168.2.70; fc00:2::8; fc00:2::2/64;};
acl "ok_recursion"      { 192.168.1.1/24; 192.168.2.0/24; 192.168.3.0/24; 
192.168.2.0/24; 127.0.0.1; ::1; fc00:2::/64; fc00:3::/64;};
acl "jp_master"         { 192.168.2.2; fc00:2::2; };
options {
        directory "/var/cache/bind";
        // If there is a firewall between you and nameservers you want
        // to talk to, you might need to uncomment the query-source
        // directive below.  Previous versions of BIND always asked
        // questions using port 53, but BIND 8.1 and later use an unprivileged
        // port by default.
query-source address * port 53;
        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.
        forwarders { 192.168.2.2; };
        allow-query { "ok_query"; };
        allow-query-cache { "ok_query"; };
        allow-transfer { "ok_transfert"; };
        allow-recursion { "ok_recursion"; };
        max-transfer-time-in 180;
        forward first;
//      check-names slave warn;
//      check-names master warn;
statistics-file "/var/cache/bind/named.stats";
zone-statistics full;
};
// reduce log verbosity on issues outside our control
logging { category lame-servers { null; }; 
        };
//      category cname { null; };
statistics-channels { 
   inet *  port 8053 allow { ok_query; }; 
   inet *  port 953  allow { ok_query; };
};
server 0.0.0.0/0 {
       edns no;
};

/etc/bind/zones.rfc1918 [Errno 2] No such file or directory: 
'/etc/bind/zones.rfc1918'

-- debconf information:
  bind9/run-resolvconf: false
  bind9/different-configuration-file:
  bind9/start-as-user: bind