On 2022-05-03 07:44, Michael Tokarev wrote:
Package: unbound
Version: 1.15.0-8
Severity: normal
When enabling apparmor, unbound fails to start. From the dmesg:
audit: type=1400 audit(1651577812.219:369): apparmor="DENIED" \
operation="mknod" profile="/usr/sbin/unbound" \
name="/etc/unbound/var/lib/unbound/root.key.68281-0-55cf18ed18a0" \
pid=68281 comm="unbound" requested_mask="c" denied_mask="c" \
fsuid=930 ouid=930
from the unbound log:
unbound: [68281:0] fatal error: could not open autotrust file for writing, \
/var/lib/unbound/root.key.68281-0-55cf18ed18a0: Permission denied
I'm assuming the way to reproduce this is with `chroot: "/etc/unbound"`.
Having a daemon write to /etc/ feels wrong, IMHO. The profile was
designed with the following in mind IIRC:
# cat /etc/unbound/unbound.conf.d/chroot.conf
server:
chroot: "/var/lib/unbound"
I just tested the above and it seems to work.
HTH,
Simon