10.04 odd apparmor behavior with chrooted bind
Aaron Bennett
abennett at clarku.edu
Thu Oct 21 18:00:01 UTC 2010
Hi,
I'm trying to get a chrooted bind working with apparmor.
My problem is bind9 fails to start with "named: chroot(): Permission denied" -- which tells me that I've got a problem with my apparmor profile. However, if I do this:
complain /usr/sbin/named
service bind9 start
it works. And then I do service bind9 stop; then:
enforce /usr/sbin/named
service bind9 start
and it works. But if I let it start on boot, or if I do service apparmor restart, then it doesn't. It only works if I first do "complain" and then "enforce"
check it out:
root at newnyx:~# service bind9 start
* Starting domain name service... bind9 named: chroot(): Permission denied
[fail]
root at newnyx:~# complain /usr/sbin/named
Setting /usr/sbin/named to complain mode.
root at newnyx:~# enforce /usr/sbin/named
Setting /usr/sbin/named to enforce mode.
root at newnyx:~# service bind9 start
* Starting domain name service... bind9 [ OK ]
root at newnyx:~#
In case it helps, here's my apparmor profile for /usr/sbin/named....
/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/var/bind/chroot/dev/** r,
/var/bind/chroot/etc/bind/** r,
/var/bind/chroot/var/lib/bind/** rw,
/var/bind/chroot/var/lib/bind/ rw,
/var/bind/chroot/var/cache/bind/** rw,
/var/bind/chroot/var/cache/bind/ rw,
/var/bind/chroot/var/bind/data/** rw,
/var/bind/chroot/var/bind/data/ rw,
/var/bind/chroot/var/bind/slaves/** rw,
/var/bind/chroot/var/bind/slaves/ rw,
/var/bind/chroot/var/bind/** rw,
/var/bind/chroot/var/run/named/ rw,
/var/bind/chroot/var/run/named/** rw,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
# ssl
/etc/ssl/openssl.cnf r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
/proc/net/if_inet6 r,
/proc/*/net/if_inet6 r,
/usr/sbin/named mr,
/var/bind/chroot/var/run/named/named.pid w,
/var/bind/choot/var/run/named/session.key w,
# support for resolvconf
/var/bind/chroot/var/run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,
capability dac_read_search,
}
Anyone? What am I missing here?
Thanks,
Aaron Bennett
---
Aaron Bennett
Manager of Systems Administration
Clark University ITS
More information about the ubuntu-server
mailing list