2

I am trying to running bind9, on a ubuntu box, in a chroot jail, as discussed in "Linux System Administration" (Adelstein & Lubanovic). The command "sudo /etc/init.d/bind9 start" is generating errors in syslog:

Jun 27 13:39:48 doli named[12418]: starting BIND 9.5.1-P2 -u bind -t /var/lib/named
. . . 
Jun 27 13:39:48 doli named[12418]: loading configuration from '/etc/bind/named.conf'
Jun 27 13:39:48 doli named[12418]: none:0: open: /etc/bind/named.conf: permission denied
Jun 27 13:39:48 doli named[12418]: loading configuration: permission denied
Jun 27 13:39:48 doli named[12418]: exiting (due to fatal error)
Jun 27 13:39:48 doli kernel: [426157.438173] type=1503 audit(1246124388.753:33): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=105 name="/var/lib/named/etc/bind/named.conf" pid=12419 profile="/usr/sbin/named"

The server is configured as follows:

  • /etc/bind is symlinked to /var/lib/named/etc/bind.
  • Ownerships for /var/.../etc and everything in it are set to bind:bind.
  • /etc/default/bind9 has OPTIONS="-u bind -t /var/lib/named" (but I note that /etc/init.d/bind9 has OPTIONS="" and a notation that seems to say leave that alone and reset the value in /etc/default/bind9).

The syslog suggests the problem is that the process owner for bind9 can't read the configuration file, but it starts as root and resets to bind, either of which I would think should be able to read the configuration.

What am I missing here?

freiheit
  • 14,544
  • 1
  • 47
  • 69
chernevik
  • 725
  • 3
  • 10
  • 19
  • 1
    You say that the ownerships are all bind:bind, even within the chroot bind shouldn't be able to overwrite it's configfiles imo, so it's conf stuff should be owned by root:bind, permission 640, so the bind group/user only has read access. – theotherreceive Jun 27 '09 at 19:38

1 Answers1

2

EDIT: oops, AppArmor, not SELinux...

Look at /etc/apparmor.d/usr.sbin.named

There's a section that looks like this:

/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** rw,
/var/cache/bind/ rw,

I suggest adding this afterwards (or possibly replacing it with this):

/var/lib/named/etc/bind/** r,
/var/lib/named/var/lib/bind/** rw,
/var/lib/named/var/lib/bind/ rw,
/var/lib/named/var/cache/bind/** rw,
/var/lib/named/var/cache/bind/ rw,
freiheit
  • 14,544
  • 1
  • 47
  • 69
  • I don't know. I don't even know what SELinux is, sorry. I'm running Ubuntu 9.04, Server Edition. I get nothing when I run 'sudo find -name "SELinux*". – chernevik Jun 27 '09 at 18:27
  • Yeah, don't know that one either. What am I looking for? I see /etc/apparmor, but neither logprof.conf nor rc.apparmor.functions have a references to named or bind. And all their references to /etc are for subdirectories other than the ones involved with this. – chernevik Jun 27 '09 at 18:49
  • /etc/apparmor.d, not /etc/apparmor – freiheit Jun 27 '09 at 18:52
  • The Ubuntu forum discussion of bind9 points to apparmor as a potential issue, and seems to have solutions. I'll see if I can figure this out from those. Thanks for the lead. – chernevik Jun 27 '09 at 18:56
  • apparmor is defiantly the issue here looking at the logs you posted. Changing the profile and restarting apparmor should resolve this. – theotherreceive Jun 27 '09 at 19:34
  • 1
    usr.bin.named needed a few more lines to keep bind from bumping into things: /var/lib/named/etc/bind/** r, /var/lib/named/var/lib/bind/** rw, /var/lib/named/var/lib/bind/ rw, /var/lib/named/var/cache/bind/** rw, /var/lib/named/var/cache/bind/ rw, /var/lib/named/dev/log w, /var/lib/named/dev/null rw, /var/lib/named/dev/random r, With these, it started without logging errors; "rndc status" reported no errors. – chernevik Jun 27 '09 at 20:10
  • 1
    This is also helpful: http://ubuntuforums.org/showpost.php?p=5828381&postcount=17 – chernevik Jun 27 '09 at 20:11