Navigation

Spezi2u · #11 5th May 2008, 13:36

if you happen to put your local zones in a subdirectory of i.e. /etc/bind don't forget to add all dirs into the apparmor file.

Code:

[...]

/etc/bind/zones/*  rw,
/etc/bind/zones/external/* rw,
/etc/bind/zones/internal/* rw,

[...]

...have fun.
Michael

Spezi2u · #12 5th May 2008, 13:42

... I think I am still on WE. The last post should be reading:

Code:

[...]

/var/lib/named/etc/bind/zones/* rw,
/var/lib/named/etc/bind/zones/external/* rw,
/var/lib/named/etc/bind/zones/internal/* rw,

[...]

ahsamuel · #13 13th May 2008, 10:16

for some reason, it doesn't work here..

i even copied the whole sample into my file.

only when i stop apparmor it works again.

any ideas?

ubuntu 8.04 perfect server + ispconfig etc.

thank you

falko · #14 14th May 2008, 16:22

It's strongly recommended to disable AppArmor. See chapter 10 on http://www.howtoforge.com/perfect-se...ntu8.04-lts-p3

ahsamuel · #15 14th May 2008, 18:00

thank you, i must have overread this line...

Djamu · #16 24th May 2008, 16:07

Quote:

Originally Posted by falko

It's strongly recommended to disable AppArmor. See chapter 10 on http://www.howtoforge.com/perfect-se...ntu8.04-lts-p3

Do you mind to tell why that is ( aside from the troubles with installing ISPconfig ) ?

Shouldn't that line then read as > It's strongly recommended to disable AppArmor when installing ISPconfig....

Currently I have no troubles whatsoever keeping it installed...

I do have some thoughts on the combination chroot / apparmor as it might well be that instead of adding security, security might get actually weaker. A simple " it's recommended " definitely won't do for an answer....

brokenshadows · #17 25th June 2008, 16:15

I still can't get bind9 to start...I've tried the suggestions in this post as well as several others I've found and I'm still getting a permission denied error...

the biggest problem is that I've been using linux for about a week now, so I still know enough to barely fill a thimble-full

the other thing I noticed is that even though I followed falko's instructions on disabling apparmor, it restarts every time I reboot the machine...but I don't think the bind9 error has anything to do with apparmor considering the error is the same whether apparmor is running or not

I know...I probably sound like an idiot...but I'm a confused idiot and would love a little help here :P

Djamu · #18 25th June 2008, 17:13

Quote:

Originally Posted by brokenshadows

...
the other thing I noticed is that even though I followed falko's instructions on disabling apparmor, it restarts every time I reboot the machine...but I don't think the bind9 error has anything to do with apparmor considering the error is the same whether apparmor is running or not
...

k.
well I suggest continuing learning linux coz it's a wonderful thing...
...
now, your problem at hand...
the chances of getting proper help on the forums grows as you provide good info..
so before anything else > what Linux flavour are you using ( they all differ a little > places of configs / commands etc... )
are you familiar with file permissions ( does 777 / 644 ring a bell ? )
owner permissions ? ( not all users can run all services )...
I've got to go for a couple of hours, but will be back in 2-3 from now on

docfx · #19 21st December 2008, 21:54

Installed Hardy updated to 8.04.1LTS w/LVM

All was well,

Code:

Dec 20 16:21:14 wonder named[31642]: starting BIND 9.4.2-P2 -u bind
Dec 20 16:21:14 wonder named[31642]: found 1 CPU, using 1 worker thread
Dec 20 16:21:14 wonder named[31642]: loading configuration from '/etc/bind/named.conf'
Dec 20 16:21:14 wonder named[31642]: listening on IPv6 interfaces, port 53

then I started going thru the Howtoforge "perfect server" tutorial. Got to the part where bind gets chrooted and...

Bind 9 fails - acc'd to /var/log/syslog:

Code:

Dec 21 14:00:54 wonder named[6828]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 21 14:00:54 wonder named[6828]: found 1 CPU, using 1 worker thread
Dec 21 14:00:54 wonder named[6828]: loading configuration from '/etc/bind/named.conf'
Dec 21 14:00:54 wonder named[6828]: none:0: open: /etc/bind/named.conf: permission denied
Dec 21 14:00:54 wonder named[6828]: loading configuration: permission denied
Dec 21 14:00:54 wonder named[6828]: exiting (due to fatal error)

Have tried it, per the tutorial ( w/ AppArmor disabled/purged ) as well as per Ubuntu Forum ( ubuntuforums.org/showthread.php?t=735188&highlight=bind9+fail ).

AppArmor is currently running and my usr.sbin.named is:

Code:

# vim:syntax=apparmor
# Last Modified: Fri Jun  1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  # /etc/bind/** r,

  # Dynamic updates needs zone and journal files rw. We just allow rw for all
  # in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
  /var/lib/named/etc/bind/* rw,

  # if local zones are in a subdirectory
  /var/lib/named/etc/bind/zones/* rw,
  /var/lib/named/etc/bind/zones/external/* rw,
  /var/lib/named/etc/bind/zones/internal/* rw,

  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** rw,
  /var/cache/bind/ rw,

  # some people like to put logs in /var/log/named/
  /var/log/named/** rw,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  /proc/net/if_inet6 r,
  /usr/sbin/named mr,
  /var/lib/named/var/run/bind/run/named.pid w,
  #/var/run/bind/run/named.pid w,
  # support for resolvconf
  /var/lib/named/var/run/bind/named.options r,
  #/var/run/bind/named.options r,

# add also following lines thanks to Spezi2u
  /var/lib/named/dev/null rw,
  /var/lib/named/dev/random rw,

}

Contents of /etc/bind/ aka /var/lib/named/etc/bind/ are:

Code:

-rw-r--r-- 1 bind bind  237 2008-04-09 15:44 db.0
-rw-r--r-- 1 bind bind  271 2008-04-09 15:44 db.127
-rw-r--r-- 1 bind bind  237 2008-04-09 15:44 db.255
-rw-r--r-- 1 bind bind  353 2008-04-09 15:44 db.empty
-rw-r--r-- 1 bind bind  270 2008-04-09 15:44 db.local
-rw-r--r-- 1 bind bind 2878 2008-04-09 15:44 db.root
-rw-r--r-- 1 bind bind  907 2008-04-09 15:44 named.conf
-rw-r--r-- 1 bind bind  165 2008-04-09 15:44 named.conf.local
-rw-r--r-- 1 bind bind 3041 2008-12-21 13:51 named.conf.options
-rw------- 1 root root  695 2008-12-21 13:51 named.conf.options~
-rw-r----- 1 bind bind   77 2008-05-26 17:26 rndc.key
-rw-r--r-- 1 bind bind 1317 2008-04-09 15:44 zones.rfc1918

and still bind9 refuses to start from CLI or during reboot... It doesn't see to make any difference if I use OPTIONS="-u bind -t /var/lib/named" or OPTIONS="-u bind".

Any suggestions would greatly appreciated.

falko · #20 22nd December 2008, 11:41

What's the output of

Code:

ls -la /var/lib/named/etc/bind

, and what's in named.conf?

Navigation

Facebook

News

Recent comments

Newsletter