Package: unbound
Version: 1.17.1-2
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
With our unbound configuration file unbound couldn't start
* What exactly did you do (or not do) that was effective (or
ineffective)?
Place the unbound apparmor profile into complain mode rather than enforcing
* What was the outcome of this action?
Managed to launch both unbond and bgpd
* What outcome did you expect instead?
I would have expected unound to be allowed to bind to a port out of the box
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 12.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8),
LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unbound depends on:
ii adduser 3.132
ii init-system-helpers 1.65.2
ii libc6 2.36-9
ii libevent-2.1-7 2.1.12-stable-8
ii libnghttp2-14 1.52.0-1
ii libprotobuf-c1 1.4.1-1+b1
ii libpython3.11 3.11.2-6
ii libssl3 3.0.8-1
ii libsystemd0 252.6-1
ii sysvinit-utils [lsb-base] 3.06-4
Versions of packages unbound recommends:
ii dns-root-data 2023010101
Versions of packages unbound suggests:
ii apparmor 3.0.8-3
ii openssl 3.0.8-1
-- Configuration Files:
/etc/apparmor.d/usr.sbin.unbound changed:
profile unbound /usr/sbin/unbound flags=(attach_disconnected, complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
# chown (chgrp) the Unix control socket
capability chown,
# chmod the Unix control socket
capability fowner,
capability fsetid,
# added to abstractions/nameservices in Apparmor 2.12
/var/lib/sss/mc/initgroups r,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# root hints from dns-data-root
/usr/share/dns/root.* r,
# non-chrooted paths
/etc/unbound/** r,
owner /etc/unbound/*.key* rw,
# explicitly deny (and audit) attempts to write to the key files
# this should be unnecessary after switch to /run/unbound.ctl control socket
# (here and below)
audit deny /etc/unbound/unbound_control.{key,pem} rw,
audit deny /etc/unbound/unbound_server.key w,
# chrooted paths
# unbound can be chrooted into /etc/unbound (upstream default) with
# /var/lib/unbound/ bind-mounted to /etc/unbound/var/lib/unbound/,
# or it can be chrooted into /var/lib/unbound/ with /etc/unbound/ copied
# into there (previous debian package default).
/{,etc/unbound/}var/lib/unbound/** r,
owner /{,etc/unbound/}var/lib/unbound/** rw,
audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_control.{key,pem} rw,
audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_server.key w,
/usr/sbin/unbound mr,
/run/systemd/notify w,
/run/unbound.pid rw,
# Unix control socket
/run/unbound.ctl rw,
#include <local/usr.sbin.unbound>
}
/etc/unbound/unbound.conf [Errno 13] Permission denied:
'/etc/unbound/unbound.conf'
/etc/unbound/unbound.conf.d/remote-control.conf [Errno 13] Permission denied:
'/etc/unbound/unbound.conf.d/remote-control.conf'
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf [Errno 13]
Permission denied:
'/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf'
-- no debconf information
