apparmor errors when starting unbound

Asked by Scott Hollenbeck on 2018-09-11

I recently upgraded a server that was running Ubuntu 16.04.5 LTS and unbound 1.5.8 to Ubuntu 18.04.1 LTS and unbound 1.6.7. After the upgrade I noticed that unbound was no longer logging query data to the locally-configured log file I had specified in /etc/unbound/unbound.conf.d/local.conf. Logging to syslog is the default; here are my config entries:

log-queries: yes
logfile: /var/log/unbound.log

Here is what the log file looks like:

-rw-r----- 1 unbound unbound 1633855 Aug 26 07:59 unbound.log

I found this error in /var/log/syslog:

Sep 10 13:00:08 myserver kernel: [104375.096935] audit: type=1400 audit(1536598808.954:14): apparmor="DENIED" operation="open" profile="/usr/sbin/unbound" name="/var/log/unbound.log" pid=24689
comm="unbound" requested_mask="ac" denied_mask="ac" fsuid=122 ouid=122

So I added an entry to /etc/apparmor.d/local/usr.sbin.unbound:

/var/log/unbound.log rw,

and the error above was resolved when I tried to restart unbound. However, two other apparmor errors appeared:

Sep 10 13:55:31 myserver kernel: [107697.184878] audit: type=1400 audit(15366002131.215:84): apparmor="DENIED" operation="capable" profile="/usr/sbin/unbound" pid=10644 comm="unbound" capability=2 capname="dac_read_search"

Sep 10 13:55:31 myserver kernel: [107697.185359] audit: type=1400 audit(15366002131.215:85): apparmor="DENIED" operation="capable" profile="/usr/sbin/unbound" pid=10645 comm="unbound" capability=1 capname="dac_override"

These were resolved by adding entries to /etc/apparmor.d/local/usr.sbin.unbound:

capability dac_read_search,
capability dac_override,

With these profile entries in place I could start unbound with no apparmor errors.

Are these bugs or an issue with my installation? Should these capabilities need to be added to the default profile found at /etc/apparmor.d/usr.sbin.unbound? Is it normal for use of a non-syslog log file to require adding permissions to the apparmor profile?

Question information

English Edit question
Ubuntu Edit question
No assignee Edit question
Last query:
Last reply:
Launchpad Janitor (janitor) said : #1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.