aa-genprof fails on scanning (bind9 named)

Bug #1883371 reported by Felix Stupp on 2020-06-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

While bind9 (named) was running with its profile enforced, it still failed to write its key file. To understand which rule is required to allow bind9 to write this file, I launched `aa-genprof /usr/sbin/named`, restarted bind9, waited until bind9 complains again about the failure and pressed `s` to initiate `aa-genprof`'s scan. `aa-genprof` fails and recommends to open a bug, the generated bug report by `aa-genprof` is attached.

Short introduction to my (bind9) setup, this might be helpful:
The system is running Debian Stable. Its a VM server, but several other processes are protected by AppArmor without any problems occurring. The system uses bind 9.16.3, a stable release downloaded from the official source, not Debian's repository (I require new features not given by Debian's version).
bind9 is configured to auto generate its KSK & ZSK keys for DNSSEC (see "dnssec-policy" in https://downloads.isc.org/isc/bind9/cur/9.16/doc/arm/Bv9ARM.pdf). I enabled the "inline-signing" option and use dynamic updates. I structured its directories as the following:
- /etc/bind: main configuration directory
- /etc/bind/zones: directory for all zones
- /etc/bind/zones/*: specific zone directory (e.g.: /etc/bind/zones/example.tld)
- /etc/bind/zones/*/keys: Directory containing keys
The default AppArmor profile for bind9 shipped by Debian allows bind9 to read the /etc/bind directory. I added following rules to allow bind9 to create files and write into the specific zone and keys directories, bind9 must not be allowed to write into the all zones directory:
/etc/bind/zones/* rwk,
/etc/bind/zones/*/** rwk,
But bind9 still seems not to be allowed to write e.g. `/etc/bind/zones/example.tld/keys/Kexample.tld+0000+458.private`. It would be glad to know why bind9 still fails to write the key file, however this bug is about why `aa-genprof` fails to scan the logs.

Felix Stupp (zocker1999net) wrote :
Simon Déziel (sdeziel) wrote :

@Felix, the Apparmor profile lets named write anywhere under /var/lib/bind which is probably a better location than under /etc/bind. Here, I have been using 'key-directory "/var/lib/bind/keys";' for a long time and IIRC, it worked well with inline-signing. I've since moved to dnssec-policy which also obey to the key-directory directive.

Simon Déziel (sdeziel) wrote :

Of course my comment isn't directly related to the bug at hand but is more a general recommendation for your bind9 setup.

Seth Arnold (seth-arnold) wrote :

Hello Felix, did you already have a bind profile on your system?

aa-genprof is for creating a profile from scratch.
aa-logprof is for updating an existing profile.

I suggest using aa-status to see the AppArmor profiles that are currently loaded into the kernel to see if there may in fact be multiple profiles for bind loaded already.


To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers