AppArmor, DHCP, Bind9 issue

Olivier oza.4h07 at gmail.com
Tue Sep 22 14:42:52 UTC 2020 

Hello,

I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5)
instance installed on a Debian Buster box.
Both come from Debian stable repo.

I would like my DHCP server to update Bind9 database when leases are
allocated to DHCP clients.

I followed instructions from [1].
I then met the following error:
Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400
audit(1600697874.163:25): apparmor="DENIED" operation="mknod"
profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482
comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create:
permission denied

I edited /etc/apparmor.d/usr.sbin.named and it now includes the following
content:
 ...
  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of
it.
  # See /usr/share/doc/bind9/README.Debian.gz
  # Next line added to work around apparmor issue
  /etc/bind/*.jnl rw,
  # End of addition
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,
...

Now, /var/log/syslog includes:
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key
ddns_update: signer "ddns_update" approved
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key
ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' A
192.168.42.104
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key
ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com'
TXT "0097d51fa2194acbea0809316da0885aa0"
Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create:
permission denied

ls -l /etc
drwxr-sr-x 2 root     bind      4096 sept. 21 16:01 bind

ls -l /var/cache
drwxrwxr-x  2 root bind 4096 sept. 22 16:25 bind

ls -l /var/cache/bind
lrwxrwxrwx 1 root root  23 sept. 21 14:29 db.192.168.42 ->
/etc/bind/db.192.168.42
lrwxrwxrwx 1 root root  29 sept. 21 14:28 db.bar.com -> /etc/bind/db.bar.com
-rw-r--r-- 1 root root   0 sept. 21 16:36 db.bar.com.jnl
...

How can I solve this ?

[1] https://wiki.debian.org/DDNS

Best regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200922/91d07887/attachment.htm>

More information about the bind-users mailing list