here's the fix, don't know if it makes much sense to chroot and use apparmor at the same time.. guess there's no harm either...
follow above described procedure & end with
Code:
vim /etc/apparmor.d/usr.sbin.named
and change marked lines
Code:
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
# Dynamic updates needs zone and journal files rw. We just allow rw for all
# in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
/var/lib/named/etc/bind/* rw,
/proc/net/if_inet6 r,
/usr/sbin/named mr,
/var/cache/bind/* rw,
/var/lib/named/var/run/bind/run/named.pid w,
# /var/run/bind/run/named.pid w,
# support for resolvconf
/var/lib/named/var/run/bind/named.options r,
# /var/run/bind/named.options r,
# add also following lines thanks to Spezi2u
/var/lib/named/dev/null rw,
/var/lib/named/dev/random rw,
}
don't forget to (re)start services
Code:
/etc/init.d/sysklogd restart
/etc/init.d/apparmor start
/etc/init.d/bind9 start
