Differences

This shows you the differences between two versions of the page.

--- bind:chroot [2007/05/27 12:15]
a created
+++ bind:chroot [2010/01/08 01:43] (current)
193.164.137.40
@@ Line 1: / Line 1: @@
-===== Chrooting BIND9 in Sarge =====
+===== Chrooting BIND9 in Debian =====
    apt-get install bind9
@@ Line 35: / Line 35: @@
 We need to modify the startup script ''/etc/init.d/sysklogd'' of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: ''SYSLOGD="-a /var/lib/named/dev/log"'':
+<note tip>**Debian Lenny++ users that uses rsyslogd:** \\
+# Tell rsyslog to listen for log events in the chroot: \\
+# vi /etc/rsyslog.d/bind-chroot.conf \\
+and add the line:
+''$AddUnixListenSocket /var/lib/named/dev/log''
+</note>
    #! /bin/sh
@@ Line 145: / Line 154: @@
    /etc/init.d/bind9 start
+===== Ubuntu troubleshooting =====
+you might get this kind of errors in syslog
+<code |f syslog>
+gauloises kernel: [180942.452046] audit(1217451274.744:5): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14130 profile="/usr/sbin/named" namespace="default"
+gauloises kernel: [180942.453222] audit(1217451274.748:6): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14130 profile="/usr/sbin/named" namespace="default"
+gauloises named: none:0: open: /etc/bind/named.conf: permission denied
+gauloises named: loading configuration: permission denied
+gauloises kernel: [180942.460655] audit(1217451274.756:7): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14131 profile="/usr/sbin/named" namespace="default"
+gauloises kernel: [180942.460761] audit(1217451274.756:8): type=1503 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/var/chroot/named/etc/bind/named.conf" pid=14131 profile="/usr/sbin/named" namespace="default"
+gauloises kernel: [180942.460812] audit(1217451274.756:9): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14131 profile="/usr/sbin/named" namespace="default"
+gauloises kernel: [180942.461179] audit(1217451274.756:10): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14131 profile="/usr/sbin/named" namespace="default"
+gauloises kernel: [180942.461221] audit(1217451274.756:11): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/chroot/named/etc/localtime" pid=14131 profile="/usr/sbin/named" namespace="default"
+</code>
+==== Work-around ====
+Here's my ''/etc/apparmor.d/usr.sbin.named'' file. I've noted where I think the changes should be made.
+<code |f /etc/apparmor.d/usr.sbin.named>
+#include <tunables/global>
+/usr/sbin/named {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  # /etc/bind should be read-only for bind
+  # /var/lib/bind is for dynamically updated zone (and journal) files.
+  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
+  # See /usr/share/doc/bind9/README.Debian.gz
+### Changing these to the chroot location is part of the solution. ###
+  /etc/bind/** r,
+  /var/lib/bind/** rw,
+  /var/cache/bind/** rw,
+###
+# added 20080914 --amj to give named access to log file
+  /var/log/named.log w,
+### As are these, but I haven't tinkered with them yet ###
+  /proc/net/if_inet6 r,
+  /usr/sbin/named mr,
+  /var/run/bind/run/named.pid w,
+  # support for resolvconf
+  /var/run/bind/named.options r,
+###
+}
+</code>
+   # /etc/init.d/apparmor restart
+       Reloading AppArmor profiles : done.
+and then restart BIND