On 2022-05-03 07:44, Michael Tokarev wrote:
Package: unbound Version: 1.15.0-8 Severity: normalWhen enabling apparmor, unbound fails to start. From the dmesg: audit: type=1400 audit(1651577812.219:369): apparmor="DENIED" \ operation="mknod" profile="/usr/sbin/unbound" \ name="/etc/unbound/var/lib/unbound/root.key.68281-0-55cf18ed18a0" \ pid=68281 comm="unbound" requested_mask="c" denied_mask="c" \ fsuid=930 ouid=930 from the unbound log: unbound: [68281:0] fatal error: could not open autotrust file for writing, \ /var/lib/unbound/root.key.68281-0-55cf18ed18a0: Permission denied
I'm assuming the way to reproduce this is with `chroot: "/etc/unbound"`. Having a daemon write to /etc/ feels wrong, IMHO. The profile was designed with the following in mind IIRC:
# cat /etc/unbound/unbound.conf.d/chroot.conf server: chroot: "/var/lib/unbound" I just tested the above and it seems to work. HTH, Simon
