I am trying to running bind9, on a ubuntu box, in a chroot jail, as discussed in "Linux System Administration" (Adelstein & Lubanovic). The command "sudo /etc/init.d/bind9 start" is generating errors in syslog:
Jun 27 13:39:48 doli named[12418]: starting BIND 9.5.1-P2 -u bind -t /var/lib/named
. . .
Jun 27 13:39:48 doli named[12418]: loading configuration from '/etc/bind/named.conf'
Jun 27 13:39:48 doli named[12418]: none:0: open: /etc/bind/named.conf: permission denied
Jun 27 13:39:48 doli named[12418]: loading configuration: permission denied
Jun 27 13:39:48 doli named[12418]: exiting (due to fatal error)
Jun 27 13:39:48 doli kernel: [426157.438173] type=1503 audit(1246124388.753:33): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=105 name="/var/lib/named/etc/bind/named.conf" pid=12419 profile="/usr/sbin/named"
The server is configured as follows:
- /etc/bind is symlinked to
/var/lib/named/etc/bind. - Ownerships for /var/…/etc and
everything in it are set to
bind:bind. - /etc/default/bind9 has OPTIONS="-u
bind -t /var/lib/named" (but I note
that /etc/init.d/bind9 has OPTIONS=""
and a notation that seems to say
leave that alone and reset the value
in /etc/default/bind9).
The syslog suggests the problem is that the process owner for bind9 can't read the configuration file, but it starts as root and resets to bind, either of which I would think should be able to read the configuration.
What am I missing here?
Best Answer
EDIT: oops, AppArmor, not SELinux...
Look at /etc/apparmor.d/usr.sbin.named
There's a section that looks like this:
I suggest adding this afterwards (or possibly replacing it with this):