AppArmor, DHCP, Bind9 issue [SOLVED]
pemensik at redhat.com
Fri Oct 2 07:53:13 UTC 2020
On 10/1/20 5:27 PM, Olivier wrote:
> Thank you all for replying !
> Thanks to your suggestions, creating an /etc/bind/subdir directory, and
> tweaking /etc/apparmor.d/usr.sbin.named allowed me to let ISC DHCP update
> Bind9 entries.
It depends, whether zone data are considered data (and belong to
/var/lib/bind instead), or configuration. When it is updated by named, I
think it is data. And you should just make symlink to /var/lib/bind or
its subdirectory. It is already prepared for that.
Or just use full paths to /var/lib/bind in zone definitions.
> 1. I'm hesitant to file a bug on Debian about this. As this both involves
> Bind9 and AppArmor, would you say it deserves to be implemented and
> documented in default Bind9 installation or that it is too specific for
> this ?
I doubt it. It is documented in /usr/share/doc/bind9/README.Debian,
where should it belong. It clearly states any zone with dynamic updates
should belong to /var/lib/bind.
Of course you can customize it, but then also AppArmor has to be adjusted.
> 2. If it deserves to to be implemented, how would you name this
> /etc/bind/subdir directory ?
> I personally used "/etc/bind/ddns-zones" but surely there exist
> alternatives that better describe the purpose of this directory (hosting
> config that bind9 needs to rewrite) such as :
(cd /etc/bind && ln -s ../../var/lib/bind ddns-zones)
should be enough.
> Detailed steps I followed on Debian Buster to work around the issue were:
> mkdir /etc/bind/ddns-zones
> chown root:bind /etc/bind/ddns-zones
> # I don't know if plain 775 better fits. Comments welcome
> chmod 2775 /etc/bind/ddns-zones
> Adding into /etc/apparmor.d/usr.sbin.named, a line:
> /etc/bind/ddns-zones/** rw,
> before line
> /etc/bind/** r,
> Best regards
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> bind-users mailing list
> bind-users at lists.isc.org
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the bind-users