https://bugzilla.novell.com/show_bug.cgi?id=731572 https://bugzilla.novell.com/show_bug.cgi?id=731572#c1 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de AssignedTo|suse-beta@cboltz.de |ug@suse.com --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> 2011-12-06 16:21:22 CET --- This rule will work for sure, but it's very broad and makes your profile insecure IMHO. That said: the named profile is part of the "bind" package, therefore I'll assign this bug to Uwe (the bind maintainer) for now. Some comments on the profile: #include <tunables/global> /usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/xad> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, /** r, # leftover from the times when AppArmor paths were relative to the chroot? I doubt it's needed nowadays. /var/lib/named/** should be enough. /dyn/** rwl, # see above - should probably be /var/lib/named/dyn/** /usr/bin/dnskeygen mix, /usr/bin/dnsquery mix, /usr/sbin/named rmix, /usr/sbin/named-xfer mix, /var/lib/named/** rwl, # (or mrwl after this bugreport) - this rule is very broad and makes the profile insecure. Does bind really need write permissions for all those files? /var/named/** rwl, # does this directory exist? (I don't have a nameserver on 12.1, so I can't check it.) /var/run/named.pid wl, /var/run/named/named.pid wl, /var/run/ndc wl, /slave/* rw, # should probably be /var/lib/named/slave/* /var/opt/novell/xad/ds/krb5kdc/krb5.keytab r, /var/tmp/DNS_* rw, # add "owner" keyword? /tmp/DNS_* rw, # add "owner" keyword? } Uwe, if you need help, feel free to ask. If you want, I can try to push the profile upstream (which would also mean to move it to the apparmor-profiles package) - however I'm quite sure the "/var/lib/named/** mrwl" rule will be rejected upstream. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731572 https://bugzilla.novell.com/show_bug.cgi?id=731572#c3 --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> 2011-12-06 19:32:36 CET --- (In reply to comment #2)

I just provided the rule I added to make bind work again. (the default was so secure that bind wouldn't start...)  ;-)

IMHO /var/lib/named belongs to named so I don't see a problem with letting named access that directory. I'm not storing anything else there...

Well, bind will "only" be able to overwrite its own data - but even that is not what you want (for example, bind will also able to overwrite library files like /var/lib/named/lib/engines/libgost.so which should really be read-only and later load that "new" libraries - in other words: if an attacker can upload a library, he'll also be to load it). Write permissions should only be be allowed when really needed, for example for zone updates. (I'm not a nameserver expert, therefore I don't know where exactly bind needs write access.)

If there's a better way then I'm all for it. I hope for it to be added in the default profile in a secure way that I, as an end user, don't have to edit just to get bind to start.

Yes, of course - the apparmor profile should be working by default. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731572 https://bugzilla.novell.com/show_bug.cgi?id=731572#c5 --- Comment #5 from Charles Wright <wrighrc@gmail.com> 2011-12-07 22:32:19 UTC --- Greetings Uwe, I just extracted both rpms with rpm2cpio bind-9.8.1-4.2.2.i586.rpm bind-9.8.1P1-4.4.1.i586.rpm <- I'm running this one. Then I did a diff on the profile and it didn't look as if anything changed in the file /etc/apparmor.d/usr.sbin.named I went ahead and tested with the original file anyways. wrights:/etc/apparmor.d # /etc/init.d/named start Starting name server BIND - Warning: /var/lib/named/var/run/named/named.pid exists! failed wrights:/etc/apparmor.d # rm /var/lib/named/var/run/named/named.pid wrights:/etc/apparmor.d # wrights:/etc/apparmor.d # /etc/init.d/named start Starting name server BIND failed I still get: [1360174.303710] type=1400 audit(1323295945.296:63): apparmor="DENIED" operation="file_mmap" parent=29480 profile="/usr/sbin/named" name="/var/lib/named/lib/engines/libgost.so" pid=29481 comm="named" requested_mask="m" denied_mask="m" fsuid=44 ouid=0 So it still looks broken. (no big surprise given the apparmor profile looks the same.) # Restoring my change... wrights:/etc/apparmor.d # cp /root/usr.sbin.named /etc/apparmor.d/ wrights:/etc/apparmor.d # rcapparmor restart Restarting AppArmor done wrights:/etc/apparmor.d # /etc/init.d/named start Starting name server BIND done wrights:/etc/apparmor.d # diff /root/usr.sbin.named /tmp/extract/etc/apparmor.d/usr.sbin.named 34c34 < /var/lib/named/** rwlm, ---

/var/lib/named/** rwl,

(In reply to comment #4)

but I already released a maintenance update for 12.1 that makes access to /var/lib/named/lib/ and /var/lib/named/lib64 possible. So I think that's fixed Or do you see any other issues with apparmor that I overlooked?

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731572 https://bugzilla.novell.com/show_bug.cgi?id=731572#c7 --- Comment #7 from Uwe Gansert <ug@suse.com> 2011-12-08 09:16:02 UTC --- hm, you are right. Something went wrong with the release of this update. We look into it here. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731572 https://bugzilla.novell.com/show_bug.cgi?id=731572#c9 Uwe Gansert <ug@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #9 from Uwe Gansert <ug@suse.com> 2012-01-02 12:53:22 UTC --- update is realeased -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.