3coma3
2021-06-04 02:45:42 UTC
Dear list:
I've used the PPA at https://launchpad.net/~isc/+archive/ubuntu/bind to
upgrade
bind from 9.11.3+dfsg-1ubuntu1.15 (current version for
bionic-{updates,security}) to 9.16.16-2+ubuntu18.04.1+isc+1
(I was needing to use the validate-except clause and this new version
supports it)
After the upgrade, attempting to start the named service failed with
this error:
Jun 3 22:03:53 top named[19946]: could not configure root hints from
'/usr/share/dns/root.hints': permission denied
Right below that apparmor logs this:
Jun 3 22:03:53 top kernel: [17981.067014] audit: type=1400
audit(1622768633.158:559): apparmor="DENIED" operation="open"
profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946
comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
What's puzzling is that the apparmor profile apparently allows the read
@ line 36:
find /etc/apparmor.d -type f | xargs grep -n '/usr/share/dns'
/etc/apparmor.d/usr.sbin.named:36: /usr/share/dns/root.* r,
dpkg -S /etc/apparmor.d/usr.sbin.named
bind9: /etc/apparmor.d/usr.sbin.named
apt-cache policy bind9
bind9:
Installed: 1:9.16.16-2+ubuntu18.04.1+isc+1
Candidate: 1:9.16.16-2+ubuntu18.04.1+isc+1
Version table:
*** 1:9.16.16-2+ubuntu18.04.1+isc+1 500
500 http://ppa.launchpad.net/isc/bind/ubuntu bionic/main amd64
Packages
100 /var/lib/dpkg/status
1:9.11.3+dfsg-1ubuntu1.15 500
500 http://mirrors.us.kernel.org/ubuntu bionic-updates/main
amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64
Packages
1:9.11.3+dfsg-1ubuntu1 500
500 http://mirrors.us.kernel.org/ubuntu bionic/main amd64 Packages
Although the error appears to not be related to file perms, here's for
completeness:
ls -la /usr/share/dns
total 28
drwxr-xr-x 2 root root 55 dic 13 2019 .
drwxr-xr-x 457 root root 12288 jun 3 21:44 ..
-rw-r--r-- 1 root root 166 feb 1 2018 root.ds
-rw-r--r-- 1 root root 3315 feb 1 2018 root.hints
-rw-r--r-- 1 root root 864 feb 1 2018 root.key
It helped me to find a previous report at
https://lists.isc.org/pipermail/bind-users/2020-July/103454.html
And then I ended up solving the problem as Brett did there, by copying
/usr/share/dns to /etc/bind/dns and changing the zone definition.
Still I am reporting this in case it's affecting someone else, and
because maybe you guys have an idea as to what's going on with apparmor
here? I'm not very knowledgeable in it and would appreciate any info /
help to solve the root cause (and maybe learn something).
Thanks in advance
full log:
Jun 3 22:03:53 top systemd[1]: Started BIND Domain Name Server.
Jun 3 22:03:53 top named[19946]: starting BIND 9.16.16-Ubuntu (Stable
Release) <id:0c314d8>
Jun 3 22:03:53 top named[19946]: running on Linux x86_64
5.6.7-050607-generic #202004230933 SMP Thu Apr 23 09:35:28 UTC 2020
Jun 3 22:03:53 top named[19946]: built with '--build=x86_64-linux-gnu'
'--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--disable-silent-rules' '
--libdir=/usr/lib/x86_64-linux-gnu'
'--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu'
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir
=/' '--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static' '--with-gost=no'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2'
'--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxmin
ddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-suAN9q/bind9-9.16.16=. -fstack-protector-s
trong -Wformat -Werror=format-security -fno-strict-aliasing
-fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE'
'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Jun 3 22:03:53 top named[19946]: running as: named -f -u bind
Jun 3 22:03:53 top named[19946]: compiled by GCC 7.5.0
Jun 3 22:03:53 top named[19946]: compiled with OpenSSL version: OpenSSL
1.1.1 11 Sep 2018
Jun 3 22:03:53 top named[19946]: linked to OpenSSL version: OpenSSL
1.1.1 11 Sep 2018
Jun 3 22:03:53 top named[19946]: compiled with libxml2 version: 2.9.4
Jun 3 22:03:53 top named[19946]: linked to libxml2 version: 20904
Jun 3 22:03:53 top named[19946]: compiled with json-c version: 0.12.1
Jun 3 22:03:53 top named[19946]: linked to json-c version: 0.12.1
Jun 3 22:03:53 top named[19946]: compiled with zlib version: 1.2.11
Jun 3 22:03:53 top named[19946]: linked to zlib version: 1.2.11
Jun 3 22:03:53 top named[19946]:
----------------------------------------------------
Jun 3 22:03:53 top named[19946]: BIND 9 is maintained by Internet
Systems Consortium,
Jun 3 22:03:53 top named[19946]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Jun 3 22:03:53 top named[19946]: corporation. Support and training for
BIND 9 are
Jun 3 22:03:53 top named[19946]: available at https://www.isc.org/support
Jun 3 22:03:53 top named[19946]:
----------------------------------------------------
Jun 3 22:03:53 top named[19946]: adjusted limit on open files from 4096
to 1048576
Jun 3 22:03:53 top named[19946]: found 12 CPUs, using 12 worker threads
Jun 3 22:03:53 top named[19946]: using 12 UDP listeners per interface
Jun 3 22:03:53 top named[19946]: using up to 21000 sockets
Jun 3 22:03:53 top named[19946]: loading configuration from
'/etc/bind/named.conf'
Jun 3 22:03:53 top named[19946]: reading built-in trust anchors from
file '/etc/bind/bind.keys'
Jun 3 22:03:53 top named[19946]: looking for GeoIP2 databases in
'/usr/share/GeoIP'
Jun 3 22:03:53 top named[19946]: using default UDP/IPv4 port range:
[32768, 60999]
Jun 3 22:03:53 top named[19946]: using default UDP/IPv6 port range:
[32768, 60999]
Jun 3 22:03:53 top named[19946]: listening on IPv4 interface lo,
127.0.0.1#53
Jun 3 22:03:53 top named[19946]: generating session key for dynamic DNS
Jun 3 22:03:53 top named[19946]: sizing zone task pool based on 25 zones
Jun 3 22:03:53 top named[19946]: could not configure root hints from
'/usr/share/dns/root.hints': permission denied
Jun 3 22:03:53 top named[19946]: loading configuration: permission denied
Jun 3 22:03:53 top named[19946]: exiting (due to fatal error)
Jun 3 22:03:53 top kernel: [17981.067013] kauditd_printk_skb: 24
callbacks suppressed
Jun 3 22:03:53 top kernel: [17981.067014] audit: type=1400
audit(1622768633.158:559): apparmor="DENIED" operation="open"
profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946
comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
Jun 3 22:03:53 top systemd[1]: named.service: Main process exited,
code=exited, status=1/FAILURE
Jun 3 22:03:53 top systemd[1]: named.service: Failed with result
'exit-code'.
Jun 3 22:03:53 top systemd[1]: named.service: Service hold-off time
over, scheduling restart.
Jun 3 22:03:53 top systemd[1]: named.service: Scheduled restart job,
restart counter is at 1.
Jun 3 22:03:53 top systemd[1]: Stopped BIND Domain Name Server.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mail
I've used the PPA at https://launchpad.net/~isc/+archive/ubuntu/bind to
upgrade
bind from 9.11.3+dfsg-1ubuntu1.15 (current version for
bionic-{updates,security}) to 9.16.16-2+ubuntu18.04.1+isc+1
(I was needing to use the validate-except clause and this new version
supports it)
After the upgrade, attempting to start the named service failed with
this error:
Jun 3 22:03:53 top named[19946]: could not configure root hints from
'/usr/share/dns/root.hints': permission denied
Right below that apparmor logs this:
Jun 3 22:03:53 top kernel: [17981.067014] audit: type=1400
audit(1622768633.158:559): apparmor="DENIED" operation="open"
profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946
comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
What's puzzling is that the apparmor profile apparently allows the read
@ line 36:
find /etc/apparmor.d -type f | xargs grep -n '/usr/share/dns'
/etc/apparmor.d/usr.sbin.named:36: /usr/share/dns/root.* r,
dpkg -S /etc/apparmor.d/usr.sbin.named
bind9: /etc/apparmor.d/usr.sbin.named
apt-cache policy bind9
bind9:
Installed: 1:9.16.16-2+ubuntu18.04.1+isc+1
Candidate: 1:9.16.16-2+ubuntu18.04.1+isc+1
Version table:
*** 1:9.16.16-2+ubuntu18.04.1+isc+1 500
500 http://ppa.launchpad.net/isc/bind/ubuntu bionic/main amd64
Packages
100 /var/lib/dpkg/status
1:9.11.3+dfsg-1ubuntu1.15 500
500 http://mirrors.us.kernel.org/ubuntu bionic-updates/main
amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64
Packages
1:9.11.3+dfsg-1ubuntu1 500
500 http://mirrors.us.kernel.org/ubuntu bionic/main amd64 Packages
Although the error appears to not be related to file perms, here's for
completeness:
ls -la /usr/share/dns
total 28
drwxr-xr-x 2 root root 55 dic 13 2019 .
drwxr-xr-x 457 root root 12288 jun 3 21:44 ..
-rw-r--r-- 1 root root 166 feb 1 2018 root.ds
-rw-r--r-- 1 root root 3315 feb 1 2018 root.hints
-rw-r--r-- 1 root root 864 feb 1 2018 root.key
It helped me to find a previous report at
https://lists.isc.org/pipermail/bind-users/2020-July/103454.html
And then I ended up solving the problem as Brett did there, by copying
/usr/share/dns to /etc/bind/dns and changing the zone definition.
Still I am reporting this in case it's affecting someone else, and
because maybe you guys have an idea as to what's going on with apparmor
here? I'm not very knowledgeable in it and would appreciate any info /
help to solve the root cause (and maybe learn something).
Thanks in advance
full log:
Jun 3 22:03:53 top systemd[1]: Started BIND Domain Name Server.
Jun 3 22:03:53 top named[19946]: starting BIND 9.16.16-Ubuntu (Stable
Release) <id:0c314d8>
Jun 3 22:03:53 top named[19946]: running on Linux x86_64
5.6.7-050607-generic #202004230933 SMP Thu Apr 23 09:35:28 UTC 2020
Jun 3 22:03:53 top named[19946]: built with '--build=x86_64-linux-gnu'
'--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--disable-silent-rules' '
--libdir=/usr/lib/x86_64-linux-gnu'
'--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu'
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir
=/' '--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static' '--with-gost=no'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2'
'--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxmin
ddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-suAN9q/bind9-9.16.16=. -fstack-protector-s
trong -Wformat -Werror=format-security -fno-strict-aliasing
-fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE'
'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Jun 3 22:03:53 top named[19946]: running as: named -f -u bind
Jun 3 22:03:53 top named[19946]: compiled by GCC 7.5.0
Jun 3 22:03:53 top named[19946]: compiled with OpenSSL version: OpenSSL
1.1.1 11 Sep 2018
Jun 3 22:03:53 top named[19946]: linked to OpenSSL version: OpenSSL
1.1.1 11 Sep 2018
Jun 3 22:03:53 top named[19946]: compiled with libxml2 version: 2.9.4
Jun 3 22:03:53 top named[19946]: linked to libxml2 version: 20904
Jun 3 22:03:53 top named[19946]: compiled with json-c version: 0.12.1
Jun 3 22:03:53 top named[19946]: linked to json-c version: 0.12.1
Jun 3 22:03:53 top named[19946]: compiled with zlib version: 1.2.11
Jun 3 22:03:53 top named[19946]: linked to zlib version: 1.2.11
Jun 3 22:03:53 top named[19946]:
----------------------------------------------------
Jun 3 22:03:53 top named[19946]: BIND 9 is maintained by Internet
Systems Consortium,
Jun 3 22:03:53 top named[19946]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Jun 3 22:03:53 top named[19946]: corporation. Support and training for
BIND 9 are
Jun 3 22:03:53 top named[19946]: available at https://www.isc.org/support
Jun 3 22:03:53 top named[19946]:
----------------------------------------------------
Jun 3 22:03:53 top named[19946]: adjusted limit on open files from 4096
to 1048576
Jun 3 22:03:53 top named[19946]: found 12 CPUs, using 12 worker threads
Jun 3 22:03:53 top named[19946]: using 12 UDP listeners per interface
Jun 3 22:03:53 top named[19946]: using up to 21000 sockets
Jun 3 22:03:53 top named[19946]: loading configuration from
'/etc/bind/named.conf'
Jun 3 22:03:53 top named[19946]: reading built-in trust anchors from
file '/etc/bind/bind.keys'
Jun 3 22:03:53 top named[19946]: looking for GeoIP2 databases in
'/usr/share/GeoIP'
Jun 3 22:03:53 top named[19946]: using default UDP/IPv4 port range:
[32768, 60999]
Jun 3 22:03:53 top named[19946]: using default UDP/IPv6 port range:
[32768, 60999]
Jun 3 22:03:53 top named[19946]: listening on IPv4 interface lo,
127.0.0.1#53
Jun 3 22:03:53 top named[19946]: generating session key for dynamic DNS
Jun 3 22:03:53 top named[19946]: sizing zone task pool based on 25 zones
Jun 3 22:03:53 top named[19946]: could not configure root hints from
'/usr/share/dns/root.hints': permission denied
Jun 3 22:03:53 top named[19946]: loading configuration: permission denied
Jun 3 22:03:53 top named[19946]: exiting (due to fatal error)
Jun 3 22:03:53 top kernel: [17981.067013] kauditd_printk_skb: 24
callbacks suppressed
Jun 3 22:03:53 top kernel: [17981.067014] audit: type=1400
audit(1622768633.158:559): apparmor="DENIED" operation="open"
profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946
comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
Jun 3 22:03:53 top systemd[1]: named.service: Main process exited,
code=exited, status=1/FAILURE
Jun 3 22:03:53 top systemd[1]: named.service: Failed with result
'exit-code'.
Jun 3 22:03:53 top systemd[1]: named.service: Service hold-off time
over, scheduling restart.
Jun 3 22:03:53 top systemd[1]: named.service: Scheduled restart job,
restart counter is at 1.
Jun 3 22:03:53 top systemd[1]: Stopped BIND Domain Name Server.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mail