apparmor errors with bind9

Asked by ChM on 2011-04-24

I did an upgrade from 8.04 LTS server to 10.04 LTS server and had quite a few tricky problems. I was lucky I could recover control of the server. Note that the 8.04 LTS server was already an upgrade from a previous Ubuntu server version.

One of the problems left are errors with bind9 reported by apparmor. This may be due to the fact that I upgraded and file/directory permission and ownerships where not up to date.

One problem is with /var/log/bind/named.log. I have plenty of the following errors.

Apr 24 11:14:56 cerber kernel: [ 9109.985377] type=1502 audit(1303636496.033:1615): operation="file_perm" pid=2819 parent=1 profile="/usr/sbin/named" requested_mask="w::" denied_mask="w::" fsuid=105 ouid=105 name="/var/log/bind/named.log"

What is causing this error ?

I also had an error with /var/run/bind. I don't remember precisely which error. I then created the directory with group ownership given to bind and user ownership left to root. There is a named directory with the same permission and ownership. I fact I copied it from it. But then I get the following apparmor error message.

Apr 24 11:14:57 cerber kernel: [ 9111.281831] type=1502 audit(1303636497.329:1617): operation="mkdir" pid=2956 parent=2954 profile="/usr/sbin/named" requested_mask="c::" denied_mask="c::" fsuid=105 ouid=105 name="/var/run/bind/run/"

What is the c standing for and why is this mkdir called ? The file named.pid is created in this directory, but I get an audit report.

So something is wrong in my configuration and I was wondering what. I'm not supposed to create this /var/run/bind directory and change apparmor.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu bind9 Edit question
Assignee:
No assignee Edit question
Solved by:
ChM
Solved:
2011-05-09
Last query:
2011-05-09
Last reply:
ChM (christophe-meessen) said : #1

The problem was that the log directory name containing bind logs is bind (/var/log/bind) instead of named (/var/log/named) as expected in the apparmor configuration for bind. I probably did the directory name change some years ago.