BIND (named) denied hourly by apparmor querying IPv6 interfaces
I'm running 8.10 server and every hour I am getting the following logged to kern.log:
Jun 20 15:21:03 roobarb kernel: [3301249.704162] type=1503 audit(124550766
Bind (named) is running as process 5509. Clearly something else tries to access it each hour. The PID of the process causing the log entry changes each hour. I can never catch the process running to find out what it is.
Here is /etc/apparmor.
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/
/var/cache/bind/ rw,
# dnscvsutil package
/var/
/proc/
/usr/sbin/named mr,
/var/
# support for resolvconf
/var/
}
Can I increase apparmor's logging somehow to tell me the command line of the process that is running? Is there another way to track process activation on Linux? I've checked obvious things like the crontab but cannot work out what is causing the issue.
Thanks in advance,
Ian.
Question information
- Language:
- English Edit question
- Status:
- Solved
- For:
- Ubuntu apparmor Edit question
- Assignee:
- No assignee Edit question
- Solved by:
- Steven Danna
- Solved:
- Last query:
- Last reply: