Next revision
|
Previous revision
|
bind:chroot [2007/05/27 12:15] a created |
bind:chroot [2010/01/08 01:43] (current) 193.164.137.40 |
===== Chrooting BIND9 in Sarge ===== | ===== Chrooting BIND9 in Debian ===== |
| |
apt-get install bind9 | apt-get install bind9 |
| |
We need to modify the startup script ''/etc/init.d/sysklogd'' of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: ''SYSLOGD="-a /var/lib/named/dev/log"'': | We need to modify the startup script ''/etc/init.d/sysklogd'' of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: ''SYSLOGD="-a /var/lib/named/dev/log"'': |
| |
| <note tip>**Debian Lenny++ users that uses rsyslogd:** \\ |
| # Tell rsyslog to listen for log events in the chroot: \\ |
| # vi /etc/rsyslog.d/bind-chroot.conf \\ |
| |
| and add the line: |
| |
| ''$AddUnixListenSocket /var/lib/named/dev/log'' |
| </note> |
| |
#! /bin/sh | #! /bin/sh |
| |
/etc/init.d/bind9 start | /etc/init.d/bind9 start |
| |
| ===== Ubuntu troubleshooting ===== |
| |
| you might get this kind of errors in syslog |
| |
| <code |f syslog> |
| 1 gauloises kernel: [180942.452046] audit(1217451274.744:5): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14130 profile="/usr/sbin/named" namespace="default" |
| 1 gauloises kernel: [180942.453222] audit(1217451274.748:6): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14130 profile="/usr/sbin/named" namespace="default" |
| 1 gauloises named: none:0: open: /etc/bind/named.conf: permission denied |
| 1 gauloises named: loading configuration: permission denied |
| 1 gauloises kernel: [180942.460655] audit(1217451274.756:7): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14131 profile="/usr/sbin/named" namespace="default" |
| 1 gauloises kernel: [180942.460761] audit(1217451274.756:8): type=1503 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/var/chroot/named/etc/bind/named.conf" pid=14131 profile="/usr/sbin/named" namespace="default" |
| 1 gauloises kernel: [180942.460812] audit(1217451274.756:9): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14131 profile="/usr/sbin/named" namespace="default" |
| 1 gauloises kernel: [180942.461179] audit(1217451274.756:10): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14131 profile="/usr/sbin/named" namespace="default" |
| 1 gauloises kernel: [180942.461221] audit(1217451274.756:11): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14131 profile="/usr/sbin/named" namespace="default" |
| </code> |
| |
| ==== Work-around ==== |
| |
| Here's my ''/etc/apparmor.d/usr.sbin.named'' file. I've noted where I think the changes should be made. |
| |
| <code |f /etc/apparmor.d/usr.sbin.named> |
| |
| #include <tunables/global> |
| |
| /usr/sbin/named { |
| #include <abstractions/base> |
| #include <abstractions/nameservice> |
| |
| capability net_bind_service, |
| capability setgid, |
| capability setuid, |
| capability sys_chroot, |
| |
| # /etc/bind should be read-only for bind |
| # /var/lib/bind is for dynamically updated zone (and journal) files. |
| # /var/cache/bind is for slave/stub data, since we're not the origin of it. |
| # See /usr/share/doc/bind9/README.Debian.gz |
| |
| ### Changing these to the chroot location is part of the solution. ### |
| /etc/bind/** r, |
| /var/lib/bind/** rw, |
| /var/cache/bind/** rw, |
| ### |
| |
| # added 20080914 --amj to give named access to log file |
| /var/log/named.log w, |
| |
| ### As are these, but I haven't tinkered with them yet ### |
| /proc/net/if_inet6 r, |
| /usr/sbin/named mr, |
| /var/run/bind/run/named.pid w, |
| # support for resolvconf |
| /var/run/bind/named.options r, |
| ### |
| } |
| </code> |
| |
| # /etc/init.d/apparmor restart |
| Reloading AppArmor profiles : done. |
| |
| and then restart BIND |
| |