BIND9 DLZ AppArmor and SELinux Integration: Difference between revisions
m (/* minor update) |
Rayk sland (talk | contribs) (The file wasn't enough service 'apparmor' had to be restarted.) |
||
(One intermediate revision by one other user not shown) | |||
Line 46: | Line 46: | ||
AppArmor Configuration : |
AppArmor Configuration : |
||
Add the following to the end of /etc/apparmor.d/local/usr.sbin.named (create it if it doesn't already exist). |
Add the following to the end of /etc/apparmor.d/local/usr.sbin.named (create it if it doesn't already exist). Restart the apparmor service. |
||
# Samba DLZ and Active Directory Zones (default source installation) |
# Samba DLZ and Active Directory Zones (default source installation) |
||
/usr/local/samba/lib/** rm, |
/usr/local/samba/lib/** rm, |
||
/usr/local/samba/private/dns.keytab |
/usr/local/samba/private/dns.keytab rk, |
||
/usr/local/samba/private/named.conf r, |
/usr/local/samba/private/named.conf r, |
||
/usr/local/samba/private/dns/** rwk, |
/usr/local/samba/private/dns/** rwk, |
||
/usr/local/samba/etc/smb.conf r, |
/usr/local/samba/etc/smb.conf r, |
||
{{Imbox |
|||
| type = note |
|||
| text = From Samba 4.8.0 <code>/usr/local/samba/private</code> is replaced by <code>/usr/local/samba/bind-dns</code> |
|||
}} |
|||
Additionally, it was found that on some distributions, additional paths may be required; consult your AppArmor logs for more information. |
Additionally, it was found that on some distributions, additional paths may be required; consult your AppArmor logs for more information. |
Latest revision as of 18:54, 2 November 2023
Interaction with AppArmor or SELinux
If you are getting an error from samba_dnsupdate and nsupdate return dns_tkey_negotiategss: TKEY is unacceptable try the following:
If you are using AppArmor or SELinux, you have to ensure that the BIND process has read access to the following files:
- /usr/local/samba/private/dns.keytab
- /usr/local/samba/private/named.conf
as well read-write access to the
- /usr/local/samba/private/dns/
directory and it's own zone file(s).
The Samba provision tries to setup the permissions correctly for these files, but you may find you need to make changes in your AppArmor or SELinux configuration if you are running either of those. If you are using AppArmor, then the 'aa-logprof' command may help you add any missing permissions you need to add after you start Samba and BIND for the first time after configuring them.
Permissions, SELinux Labeling and Policy
These instructions are intended for RHEL6, but may serve as a guide for other distributions/versions.
There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be able to have everything working without disabling SELinux.
For all the commands below, make sure you have set the following environment variable:
MYREALM="samdom.example.com"
Set Permissions (SELinux):
chown named:named /usr/local/samba/private/dns chgrp named /usr/local/samba/private/dns.keytab chmod g+r /usr/local/samba/private/dns.keytab chmod 775 /usr/local/samba/private/dns
Label files (SELinux):
chcon -t named_conf_t /usr/local/samba/private/dns.keytab chcon -t named_conf_t /usr/local/samba/private/named.conf.update chcon -t named_var_run_t /usr/local/samba/private/dns chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
Set Label Persistence (SELinux):
semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl
AppArmor Configuration :
Add the following to the end of /etc/apparmor.d/local/usr.sbin.named (create it if it doesn't already exist). Restart the apparmor service.
# Samba DLZ and Active Directory Zones (default source installation) /usr/local/samba/lib/** rm, /usr/local/samba/private/dns.keytab rk, /usr/local/samba/private/named.conf r, /usr/local/samba/private/dns/** rwk, /usr/local/samba/etc/smb.conf r,
From Samba 4.8.0 /usr/local/samba/private is replaced by /usr/local/samba/bind-dns |
Additionally, it was found that on some distributions, additional paths may be required; consult your AppArmor logs for more information.
Examples:
It was found that on Ubuntu 14.04.1 LTS, BIND was trying to create files such as /var/tmp/DNS_110, and so a further entry was required:
/var/tmp/** rwmk,
It was found that on Ubuntu 16.04 LTS, /dev/urandom is used, so a further entry was required:
/dev/urandom rw,