AppArmor profile for named prevents reading of samba4 zone and keytab
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| bind9 (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
Release Description: Ubuntu precise (development branch)
Release: 12.04
Package: bind9
Version: 1:9.8.1.dfsg.P1-2
The AppArmor profile for named prevents bind9 from reading zone and ketab files generated by samba4. When samba4 is provisioned, it generates several template files. These files include configuration and zone information. Keytab files for DNS update signing are also generated. Generally, a user will configure bind9 to include these files from withing their existing bind configuration in /etc/bind/. However, the AppArmor profile for named prevents this. Adding the lines below to /etc/apparmor.
/var/
/var/
/var/
/var/
/var/tmp/* rw,
The first line allows bind9 to read the zone files generated by samba4. The write flag is specified because bind9 may need to update the zone upon a client DNS update request. The second and third lines allow bind9 to read the configuration and update information for domains generated by samba4. The fourth line allows bind9 to read and lock the samba4 DNS keytab file. This file allows bind9 to authenticate against the samba4 domain for signed DNS update requests. The last line allows bind9 to wire some temporary files needed to track DNS updates.
| Changed in bind9 (Ubuntu): | |
| importance: | Undecided → Medium |
| Changed in bind9 (Ubuntu): | |
| importance: | Medium → Wishlist |
| status: | New → Triaged |
| LaMont Jones (lamont) wrote | #1 |
> /var/tmp/* rw,
I would much rather have named using some more protected directory, like maybe /var/cache/bind or some such. Otherwise I don't have any issue with this.