apparmor profile missing "link" permission

Bug #1331503 reported by Kees Cook
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
New
Undecided
Unassigned
Trusty
New
Undecided
Unassigned

Bug Description

  type=1400 audit(1403024365.999:20455): apparmor="DENIED" operation="link" prof
ile="/usr/sbin/named" name="/var/lib/bind/db-GFtoRz38" pid=32341 comm="named"
requested_mask="l" denied_mask="l" fsuid=105 ouid=105
target="/var/lib/bind/db.MYDOMAIN"

/etc/apparmor.d/usr.sbin.named is missing "l" for /var/lib/bind/**:

It should be:

  /var/lib/bind/** lrw,

Kees Cook (kees)
no longer affects: bind9 (Ubuntu Precise)
Revision history for this message
Robie Basak (racb) wrote :

Thanks Kees. Presumably this breaks dynamic updates?

Revision history for this message
Kees Cook (kees) wrote :

Seems to break slaved domain updates. (i.e. my server is secondary for a master server, and when they make changes the AXFR seems to throw this into the kernel logs.)

Since the /var/cache line has "l" already, it seems like just a simple fix; I didn't investigate the true origin.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.