[Pkg-dns-devel] Bug#883228: bind9: apparmor policy is denying the ability to change worker thread names

Jon nuxi at vault24.org
Fri Dec 1 02:19:43 UTC 2017 

Package: bind9
Version: 1:9.11.2+dfsg-1
Severity: minor
Tags: patch

Dear Maintainer,

The bind apparmor policy is blocking the ability of bind to change its
worker thread names.

type=AVC msg=audit(1512011335.533:12422): apparmor="DENIED"
operation="open" profile="/usr/sbin/named"
name="/proc/31264/task/31268/comm" pid=31264 comm="named"
requested_mask="wr" denied_mask="wr" fsuid=108 ouid=108

Adding this line to the policy allowed bind to change it thread names:

owner @{PROC}/@{pid}/task/@{tid}/comm rw,



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages bind9 depends on:
ii  adduser                3.116
ii  bind9utils             1:9.11.2+dfsg-1
ii  debconf [debconf-2.0]  1.5.65
ii  libbind9-160           1:9.11.2+dfsg-1
ii  libc6                  2.25-2
ii  libcap2                1:2.25-1.2
ii  libcomerr2             1.43.7-1
ii  libdns169              1:9.11.2+dfsg-1
ii  libgeoip1              1.6.11-3
ii  libgssapi-krb5-2       1.15.2-2
ii  libirs160              1:9.11.2+dfsg-1
ii  libisc166              1:9.11.2+dfsg-1
ii  libisccc160            1:9.11.2+dfsg-1
ii  libisccfg160           1:9.11.2+dfsg-1
ii  libjson-c3             0.12.1-1.2
ii  libk5crypto3           1.15.2-2
ii  libkrb5-3              1.15.2-2
ii  liblwres160            1:9.11.2+dfsg-1
ii  libssl1.1              1.1.0g-2
ii  libxml2                2.9.4+dfsg1-5.1
ii  lsb-base               9.20170808
ii  net-tools              1.60+git20161116.90da8a0-1
ii  netbase                5.4

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.11.2+dfsg-1
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/named.conf changed [not included]
/etc/bind/named.conf.local changed [not included]
/etc/bind/named.conf.options changed [not included]
/etc/bind/zones.rfc1918 changed [not included]

-- debconf information:
* bind9/run-resolvconf: false
* bind9/different-configuration-file:
* bind9/start-as-user: bind

More information about the pkg-dns-devel mailing list