Monday, June 25, 2012

BIND9, Ubuntu and Apparmor

While configuring a slave DNS server with bind9 on Ubuntu, I had a few issues. Looking in the log, I spotted:

Jun 25 15:25:19 nyhdns01 kernel: [ 1249.991165] type=1400 audit(1340652319.705:7): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/named" name="/etc/bind/zones/tmp-aSrmPQ6y4K" pid=1776 comm="named" requested_mask="c" denied_mask="c" fsuid=106 ouid=106

The AppArmor profile for bind prevents writing under /etc/bind, however, my standard is to store all the zones under /etc/bind/zones. Editing  /etc/apparmor.d/usr.sbin.named to add

/etc/bind/zones/**,

solved the issue.