2

Just upgraded debian and named is not starting now. I have 2 log channels configured:

    channel "named_log" {
        file "/var/log/bind/named.log" versions 10 size 2m;
        severity dynamic;
        print-category yes;
        print-severity yes;
        print-time yes;
    };

    channel "query_log" {
        file "/var/log/bind/query.log" versions 2 size 100k;
        severity dynamic;
        print-severity yes;
        print-time yes;
    };

Everything was working till upgrade. Here's the directory:

root@dom:/var/log/bind# ls -la /var/log/bind
total 156
drwxrwsr-x  2 bind bind   4096 Oct 30 17:14 .
drwxr-xr-x 36 root root   4096 Oct 30 15:41 ..
-rw-r-----  1 bind bind 149847 Oct 30 17:45 bind9.log
root@dom:/var/log/bind# id bind
uid=110(bind) gid=118(bind) groups=118(bind)
root@dom:/var/log/bind# ls -lna /var/log/bind
total 156
drwxrwsr-x  2 110 118   4096 Oct 30 17:14 .
drwxr-xr-x 36   0   0   4096 Oct 30 15:41 ..
-rw-r-----  1 110 118 149847 Oct 30 17:45 bind9.log
root@dom:/var/log/bind# named -v
BIND 9.11.5-P4-5.1-Debian (Extended Support Version) <id:998753c>
root@dom:~# ps -eo pid,gid,euid,comm|grep named
 6677   118   110 named

But have this:

Oct 30 17:04:35 dom named[4997]: configuring command channel from '/etc/bind/rndc.key'
Oct 30 17:04:35 dom named[4997]: command channel listening on 127.0.0.1#953
Oct 30 17:04:35 dom named[4997]: isc_stdio_open '/var/log/bind/named.log' failed: permission denied
Oct 30 17:04:35 dom named[4997]: configuring logging: permission denied
Oct 30 17:04:35 dom named[4997]: loading configuration: permission denied
Oct 30 17:04:35 dom named[4997]: exiting (due to fatal error)

I temporary enabled login for user bind and can confirm that this user can create and modify files in the /var/log/bind/

Please help

upd: did chmod 777 /var/log/bind - the same error

BUKTOP
  • 155
  • 1
  • 8

1 Answers1

5

It sounds as though bind9 may not be allowed to write to the folder for other reasons.

Check to see if AppArmor is running via aa-status.

AppArmor is another mandatory access control mechanism for Linux, comparable to SELinux. In reality, you want it there because it keeps applications from being used maliciously if exploited.

If it is, temporarily disable it to test:

sudo systemctl stop apparmor
sudo systemctl disable apparmor

If that resolves the issue, then you will need to update the bind9 profile in AppArmor to allow it access to the log folder.

For reference, AppArmor profiles are stored in /etc/apparmor.d/

t3ddftw
  • 331
  • 2
  • 5
  • I have added this a few minutes ago, you probably didn't reload the question, sorry ```root@dom:~# ps -eo pid,gid,euid,comm|grep named 6677 118 110 named ``` – BUKTOP Oct 30 '19 at 16:00
  • And I did chmod 777, the same – BUKTOP Oct 30 '19 at 16:01
  • 1
    @BbIKTOP - Is AppArmor running? That would be the next thing to check. (`aa-status`) – t3ddftw Oct 30 '19 at 16:03
  • have no idea what it is, how to check? did ```root@dom:/etc/firejail# ps -ef|grep -i armor```, got nothing: ```root 9017 7022 0 18:03 pts/6 00:00:00 grep -i armor``` – BUKTOP Oct 30 '19 at 16:04
  • 1
    @BbIKTOP - You probably missed it in my comment -- run: `aa-status` – t3ddftw Oct 30 '19 at 16:05
  • Yes, it's running. Thank you!!! wtf is that and how to remove it? – BUKTOP Oct 30 '19 at 16:07
  • @BbIKTOP - AppArmor is another mandatory access control mechanism for Linux, comparable to SELinux. In reality, you want it there because it keeps applications from being used maliciously if exploited. Check if temporarily disabling AA fixes your issue by running `sudo systemctl stop apparmor && sudo systemctl disable apparmor` – t3ddftw Oct 30 '19 at 16:11
  • thank you so much! Please add this as an answer so I could accept it. Found this *(&^(%^&* and added this dir to its config, everything is working now. linups ok lol )))) – BUKTOP Oct 30 '19 at 16:13
  • 1
    @BbIKTOP - Updated -- glad you got it sorted :) – t3ddftw Oct 30 '19 at 16:29
  • 1
    thank you, I'd never find it myself, had no idea it even exists! could you please also add that it's configuration profiles are stored in /etc/apparmor.d and all necessary access rules shall be added there? I see you already did. Thank you! ;) – BUKTOP Oct 30 '19 at 16:33