Hi Olivier, we on Fedora use SELinux, but have similar problem.
I think you should move db.bar.com to /var/lib/bind instead. That means, copy the file there. Leave symlink in /etc/bind to /var/lib/bind if necessary. Primary place after dynamic update must be in directory writable by named. It should not be directory /etc/bind. Keep journal file in the same directory. It belongs together. SELinux would keep label on move from /etc/bind to /var/lib/bind. Thats why I suggest copy it there and then remove original file in /etc/bind. Might be unnecessary under AppArmor, not sure. Make sure the zone file is writeable by bind user. # chgrp bind /var/lib/bind/* && chmod g+w /var/lib/bind/* I would propose to omit using /var/cache directory for type primary; I think there should be secondary copies only. As cache directory means it can be cleaned without data loss. You should backup /var/lib/bind, there are primary data. They have no source from which they can be fetched after delete. Secondary zones have that. I am not sure how AppArmor handles permissions. On SELinux, you would have to restore contexts shown with ls -Z, by command restorecon -R /var/lib/bind. Check whether anything similar is required on AppArmor. Regards, Petr On 9/22/20 4:42 PM, Olivier wrote: > Hello, > > I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5) > instance installed on a Debian Buster box. > Both come from Debian stable repo. > > I would like my DHCP server to update Bind9 database when leases are > allocated to DHCP clients. > > I followed instructions from [1]. > I then met the following error: > Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400 > audit(1600697874.163:25): apparmor="DENIED" operation="mknod" > profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482 > comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 ouid=107 > Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create: > permission denied > > I edited /etc/apparmor.d/usr.sbin.named and it now includes the following > content: > ... > # /etc/bind should be read-only for bind > # /var/lib/bind is for dynamically updated zone (and journal) files. > # /var/cache/bind is for slave/stub data, since we're not the origin of > it. > # See /usr/share/doc/bind9/README.Debian.gz > # Next line added to work around apparmor issue > /etc/bind/*.jnl rw, > # End of addition > /etc/bind/** r, > /var/lib/bind/** rw, > /var/lib/bind/ rw, > /var/cache/bind/** lrw, > /var/cache/bind/ rw, > ... > > Now, /var/log/syslog includes: > Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key > ddns_update: signer "ddns_update" approved > Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key > ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' A > 192.168.42.104 > Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key > ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' > TXT "0097d51fa2194acbea0809316da0885aa0" > Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create: > permission denied > > ls -l /etc > drwxr-sr-x 2 root bind 4096 sept. 21 16:01 bind > > ls -l /var/cache > drwxrwxr-x 2 root bind 4096 sept. 22 16:25 bind > > ls -l /var/cache/bind > lrwxrwxrwx 1 root root 23 sept. 21 14:29 db.192.168.42 -> > /etc/bind/db.192.168.42 > lrwxrwxrwx 1 root root 29 sept. 21 14:28 db.bar.com -> /etc/bind/db.bar.com > -rw-r--r-- 1 root root 0 sept. 21 16:36 db.bar.com.jnl > ... > > How can I solve this ? > > [1] https://wiki.debian.org/DDNS > > Best regards > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users