:: [DNG] Beowulf, and Apparmor's effec…
Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: 'smee
Fecha:  
A: devuan mail list
Temas nuevos: [DNG] ...
Asunto: [DNG] Beowulf, and Apparmor's effect on bind9
Hello list,

This issue has a workaround that works fine but I want to throw this
info out there in case it's useful to anyone else or to the devs.


I've got a couple dns servers that I installed initially with ascii.
After upgrading to Beowulf, bind9 wouldn't start any more. Turned out
to be a permissions issue that is actually an apparmor issue which is
outlined in this debian bug report.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922065

Apparmor denies permissions to necessary bind9 files. In my case it's
var/log/misc.log that is the problem file consistently. The bug report
says the next version of bind9 should contain the fix. I don't know if
they mean next major release or what. The bug at debian was reported
for bind9 version 1:9.11.5.P1+dfsg-2 and I'm on 1:9.11.5.P4+dfsg-5.1,
which is the latest in the default beowulf repo's.

Apparmor was installed during the upgrade to Boewulf, it wasn't present
in my ascii install.

The specific error I had in syslog was:

May 23 10:30:00 155 named[2523]: starting BIND 9.11.5-P4-5.1+deb10u1-
Debian (Extended Support Version) <id:998753
/permission denied
...skipping
May 23 10:30:00 155 named[2523]: isc_stdio_open '/var/log/misc.log'
failed: permission denied
May 23 10:30:00 155 named[2523]: configuring logging: permission denied
May 23 10:30:00 155 kernel: [35015.975714] audit: type=1400
audit(1590251400.612:13): apparmor="DENIED" operation
="open" profile="/usr/sbin/named" name="/var/log/misc.log" pid=2523
comm="isc-worker0000" requested_mask="ac" den
ied_mask="ac" fsuid=107 ouid=107
May 23 10:30:00 155 named[2523]: loading configuration: permission
denied
May 23 10:30:00 155 named[2523]: exiting (due to fatal error)


The workaround mentioned in the bug report for is to add explicit
permissions in /etc/apparmor.d/local/usr.sbin.named by adding a line to
that file with the path to the problem file and the permissions. In
this case rwk for read/write/lock. In my case I added this line:

/var/log/misc.log rwk

Anyway, hope this info's helpful. Let me know if I can be further help.