Just upgraded debian and named is not starting now. I have 2 log channels configured:
channel "named_log" {
file "/var/log/bind/named.log" versions 10 size 2m;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel "query_log" {
file "/var/log/bind/query.log" versions 2 size 100k;
severity dynamic;
print-severity yes;
print-time yes;
};
Everything was working till upgrade. Here's the directory:
root@dom:/var/log/bind# ls -la /var/log/bind
total 156
drwxrwsr-x 2 bind bind 4096 Oct 30 17:14 .
drwxr-xr-x 36 root root 4096 Oct 30 15:41 ..
-rw-r----- 1 bind bind 149847 Oct 30 17:45 bind9.log
root@dom:/var/log/bind# id bind
uid=110(bind) gid=118(bind) groups=118(bind)
root@dom:/var/log/bind# ls -lna /var/log/bind
total 156
drwxrwsr-x 2 110 118 4096 Oct 30 17:14 .
drwxr-xr-x 36 0 0 4096 Oct 30 15:41 ..
-rw-r----- 1 110 118 149847 Oct 30 17:45 bind9.log
root@dom:/var/log/bind# named -v
BIND 9.11.5-P4-5.1-Debian (Extended Support Version) <id:998753c>
root@dom:~# ps -eo pid,gid,euid,comm|grep named
6677 118 110 named
But have this:
Oct 30 17:04:35 dom named[4997]: configuring command channel from '/etc/bind/rndc.key'
Oct 30 17:04:35 dom named[4997]: command channel listening on 127.0.0.1#953
Oct 30 17:04:35 dom named[4997]: isc_stdio_open '/var/log/bind/named.log' failed: permission denied
Oct 30 17:04:35 dom named[4997]: configuring logging: permission denied
Oct 30 17:04:35 dom named[4997]: loading configuration: permission denied
Oct 30 17:04:35 dom named[4997]: exiting (due to fatal error)
I temporary enabled login for user bind and can confirm that this user can create and modify files in the /var/log/bind/
Please help
upd: did chmod 777 /var/log/bind – the same error
Best Answer
It sounds as though
bind9
may not be allowed to write to the folder for other reasons.Check to see if AppArmor is running via
aa-status
.AppArmor is another mandatory access control mechanism for Linux, comparable to SELinux. In reality, you want it there because it keeps applications from being used maliciously if exploited.
If it is, temporarily disable it to test:
If that resolves the issue, then you will need to update the
bind9
profile in AppArmor to allow it access to the log folder.For reference, AppArmor profiles are stored in
/etc/apparmor.d/