10.04 odd apparmor behavior with chrooted bind

Aaron Bennett abennett at clarku.edu
Thu Oct 21 18:00:01 UTC 2010 

Hi,

I'm trying to get a chrooted bind working with apparmor.  

My problem is bind9 fails to start with "named:  chroot(): Permission denied" -- which tells me that I've got a problem with my apparmor profile.  However, if I do this:

complain /usr/sbin/named
service bind9 start

it works.  And then I do service bind9 stop; then:

enforce /usr/sbin/named
service bind9 start

and it works.  But if I let it start on boot, or if I do service apparmor restart, then it doesn't.  It only works if I first do "complain" and then "enforce"

check it out:

root at newnyx:~# service bind9 start
 * Starting domain name service... bind9                                        named: chroot(): Permission denied
                                                                         [fail]
root at newnyx:~# complain /usr/sbin/named
Setting /usr/sbin/named to complain mode.
root at newnyx:~# enforce /usr/sbin/named
Setting /usr/sbin/named to enforce mode.
root at newnyx:~# service bind9 start
 * Starting domain name service... bind9                                 [ OK ] 
root at newnyx:~#


In case it helps, here's my apparmor profile for /usr/sbin/named....

/usr/sbin/named {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /var/bind/chroot/dev/** r,
  /var/bind/chroot/etc/bind/** r,
  /var/bind/chroot/var/lib/bind/** rw,
  /var/bind/chroot/var/lib/bind/ rw,
  /var/bind/chroot/var/cache/bind/** rw,
  /var/bind/chroot/var/cache/bind/ rw,
  /var/bind/chroot/var/bind/data/** rw,
  /var/bind/chroot/var/bind/data/ rw,
  /var/bind/chroot/var/bind/slaves/** rw,
  /var/bind/chroot/var/bind/slaves/ rw,
  /var/bind/chroot/var/bind/** rw, 
  /var/bind/chroot/var/run/named/ rw, 
  /var/bind/chroot/var/run/named/** rw, 

  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,

  # ssl
  /etc/ssl/openssl.cnf r,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  /proc/net/if_inet6 r,
  /proc/*/net/if_inet6 r,
  /usr/sbin/named mr,
  /var/bind/chroot/var/run/named/named.pid w,
  /var/bind/choot/var/run/named/session.key w,
  # support for resolvconf
  /var/bind/chroot/var/run/named/named.options r,

  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,

  capability dac_read_search,
}

Anyone?  What am I missing here?

Thanks,

Aaron Bennett


--- 
Aaron Bennett
Manager of Systems Administration
Clark University ITS

More information about the ubuntu-server mailing list