Ubuntu

named bind9 apparmor profile error

Reported by Christophe Vandeplas on 2008-10-25
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Undecided
LaMont Jones
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned

Bug Description

Binary package hint: bind9

Bind doesn't start when IPv6 is enabled.
/var/log/messages tells me this:
Oct 25 12:42:53 minerva kernel: [ 2229.682759] type=1503 audit(1224931373.808:14): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=103 name="/proc/5722/net/if_inet6" pid=5723 profile="/usr/sbin/named"

This means apparmor is blocking access to the /proc/XXXX/net/if_inet6 file

Apparmor has the following configuration:
/etc/apparmor.d/usr.sbin.named:27: /proc/net/if_inet6 r,

This line should be changed in: /proc/**/net/if_inet6 r,

Restarting apparmor and bind with the new apparmor configuration confirms it works now.

Ubuntu 8.10 \n \l
Bind
Architecture: i386
Version: 1:9.5.0.dfsg.P2-1ubuntu2

Package: apparmor-profiles
Architecture: i386
Source: apparmor
Version: 2.3+1289-0ubuntu4

description: updated

I'm not sure it's related to the IPv6 bug #249824

Jamie Strandboge (jdstrand) wrote :

debdiff fixing this bug and bug #277370

Changed in bind9:
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

I also added:
  capability sys_resource,

since this version of bind9 complains without it.

LaMont Jones (lamont) on 2008-11-26
Changed in bind9:
assignee: nobody → lamont
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind9 - 1:9.5.0.dfsg.P2-5

---------------
bind9 (1:9.5.0.dfsg.P2-5) unstable; urgency=low

  [ISC]

  * 2463: IPv6 Advanced Socket API broken on linux. LP: #249824

  [Jamie Strandboge]

  * apparmor: add capability sys_resource
  * apparmor: add krb keytab access. LP: #277370

  [LaMont Jones]

  * apparmor: allow proc/*/net/if_inet6 read access too. LP: #289060
  * apparmor: add /var/log/named/* entries. LP: #294935

  [Ben Hutchings]

  * meta: Add dependency of bind9 on net-tools (ifconfig used in init script)
  * meta: Fix bind9utils Depends.
  * meta: fix typo in package description

  [localization folks]

  * l10n: add polish debconf translations. Closes: #506856 (L)

 -- Ubuntu Archive Auto-Sync <email address hidden> Wed, 10 Dec 2008 00:40:25 +0000

Changed in bind9:
status: Fix Committed → Fix Released
Martin Maney (maney) wrote :

Is this ever going to be fixed for the stable release? The repetitive error mesasges about /proc/*/net/if_net6 came to my attention while looking for something else, which led me to this bug. It seems to have been first reported for a version that's still in Ibex, though there's a bumped version 1:9.5.0.dfsg.P2-1ubuntu3 that's since replaced it (and the leatter is installed here).

I just installed Jamie's patch above, and it seems to address this issue. Oddly, it was NOT present here even though it appears to have been intended to be in the 1ubuntu3 - just noticed that. Okay, now I'm really confused. bind9 was just installed on this machine on 12/29, so it doesn't seem it could have been that an upgrade somehow missed this file...

Ian McMichael (ian-sigma-uk) wrote :

It appears that the bind 9.4 and 9.5 packages have missed out on this patch. The Jaunty bind 9.6 package has the fix but for those of us that are still running Intrepid or Hardy LTS. Is there any chance of getting it applied to all the supported releases?

Thanks in advance,

Ian.

Changed in bind9 (Ubuntu Hardy):
status: New → Triaged
Changed in bind9 (Ubuntu Intrepid):
status: New → Triaged
Chuck Short (zulcss) wrote :

Closing this SRU request based on the fact that Intrepid has reached EOL.

chuck

Changed in bind9 (Ubuntu Intrepid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers