<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<pre class="moz-signature" cols="72">
</pre>
<div class="moz-cite-prefix">On 15-Mar-25 18:16, Lee wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAD8GWssbb0_Dp4PajcpdN1guYto1Nif3bhTsQyoyBmh4xi1QVA@mail.gmail.com">
<pre wrap="" class="moz-quote-pre">On Sat, Mar 15, 2025 at 5:25 PM Danjel Jungersen via bind-users
<a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">
Apparmor was also mentioned, I have no experience with that, and have not changed it in any way (to my knowledge)...
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
On my machine,
$ journalctl -l | grep apparmor | grep bind |more
shows many lines like
Dec 14 08:00:12 spot audit[922]: AVC apparmor="DENIED"
operation="mknod" profile="named" name="/etc/bind/db.10.10.2.jbk"
pid=922 comm="isc-net-0002" requested_mask="c" denied_mask="c"
fsuid=116 ouid=116
Dec 14 08:00:12 spot audit[922]: AVC apparmor="DENIED"
operation="mknod" profile="named" name="/etc/bind/db.home.net.jbk"
pid=922 comm="isc-net-0003" requested_mask="c" denied_mask="c"
fsuid=116 ouid=116
/etc/apparmor.d/usr.sbin.named on my machine has
# /etc/bind should be read-only for bind
and I'm clearly violating that assumption :(
Rather than fix my bind config I fixed the apparmor config. If you go
that way remember to do
/etc/init.d/apparmor restart
to have the new apparmor rules take effect.
Regards,
Lee
</pre>
</blockquote>
<p>I deal with selinux rather than apparmor, but the principles and
pitfalls are the same.<br>
</p>
<p>In the long run it's likely to be better to find a suitable
named-writable directory for your zone files. Or if your
distribution doesn't provide one, file a bug report.</p>
<p>With local policy patches, sooner or later an
upgrade/update/configuration (or staff) change will cause an
issue. By Murphy's law, at the most inconvenient time.<br>
</p>
<p>Treating zone file directories as read-only on "master"
("primary") servers was a reasonable when most zone files were
manually edited. With UPDATE, and now more important, DNSSEC
signing this isn't (and shouldn't be) nearly as common. The
advice to put these files in /etc is out-of-date.<br>
</p>
<p>Any distribution that doesn't provide a security policy and
directory layout for these configurations is behind the times. So
after checking their documentation, file a bug report with them.</p>
<p>However, I'd be surprised if apparmor doesn't provide a suitable
directory, since slaves' / secondaries' zone files are always
writable...so it may simply be a documentation/default
configuration issue.<br>
</p>
<p>Note that /etc/bind usually also contains the configurations
files (named.conf, named.conf.d, etc). And those SHOULD be
read-only for named. So making all of /etc/bind read-write
defeats some of the apparmor/selinux protection.</p>
<p>A typical writable location for zone files is /var/named. (Under
selinux, zone files are labeled, and whether they can be written
is a configuration switch. There should be an apparmor
equivalent... )<br>
</p>
<p>ISC gave some webinars on "BIND 9 Security" a couple of years
ago. <a
href="https://www.isc.org/blogs/bind-security-webinar-series-2021/"
class="moz-txt-link-freetext">https://www.isc.org/blogs/bind-security-webinar-series-2021/</a>
. There's a recording of the one on apparmor that may be
helpful. (I haven't watched it, but the ISC webinars are usually
well done.)<br>
</p>
<br>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<p><span style="white-space: pre-wrap">
</span></p>
<div id="grammalecte_menu_main_button_shadow_host"
style="width: 0px; height: 0px;"></div>
</body>
</html>