I would use something under /var directory with data modified by daemons itself. I think that place is more appropriate for zones signed by named daemon.
We at Red Hat still use /var/named, where SELinux would allow named changing data. I do not think named itself should modify data in /etc. It depends on file layout used. I think /var/lib/bind is more appropriate for primary zones data, /var/cache/bind for slaves. I would place only static files not modified by named to /etc/bind. At least our policy allows only similar approach. I would not update AppArmor but move files managed by named to appropriate directories instead. And update named.conf with full paths to them if needed. Cheers, Petr On 10/26/21 12:23, Paul van der Vlis wrote: > Hi Mark, and others, > > Op 25-10-2021 om 23:58 schreef Mark Andrews: >> >> >>> On 26 Oct 2021, at 08:02, Paul van der Vlis <p...@vandervlis.nl> wrote: >>> >>> Hello, >>> >>> I've made some progress.. >>> >>> Op 24-10-2021 om 21:39 schreef Paul van der Vlis: >>> (...) >>>> I've tried to specify the "key-directory" in the bind >>>> configuration, but when I do that I get an error during "rndc >>>> reload", so I cannot specify a key-directory. This is Bind 9.16.15 >>>> from Debian 11. >>>> What do I wrong? >>> >>> What I did wrong here, is putting this key-directory option into the >>> bind configuration (/etc/bind/named.conf). The correct place is in >>> the zone, so I did put it in the "rndc modzone" command. This works ;-) >> >> Well it can go in named.conf. It needs to be in the options and/or >> view and/or zone sections. This is documented. > > OK.. Maybe it would work if I did put it in the options file. > >>> But now I have a next problem: >>> ------ >>> Oct 25 22:27:53 ns1 kernel: [540901.362643] audit: type=1400 >>> audit(1635193673.521:12): apparmor="DENIED" operation="mknod" >>> profile="named" name="/etc/bind/zones/hallo24.nl.signed.jnl" pid=343 >>> comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 >>> ouid=107 >>> Oct 25 22:27:53 ns1 named[343]: >>> /etc/bind/zones/hallo24.nl.signed.jnl: create: permission denied >>> ------ >>> >>> Hmm, maybe it's not a good idea that bind would change those static >>> configfiles. What I would like, is that bind would change only >>> temporary the database in /var/cache/bind/ . Would that be >>> possible? Or do you have a better idea? >> >> It’s not named’s job to update SELinux or AppArmour. I suspect we >> would get complaints if we attempted to do that. Changing security >> policy is the job of the operator. > > I know how to configure apparmor, my question is not about that. > > My question is about what is a good way to implement rfc2136 in Bind. > > I guess it's not a good idea that Bind really changes the zone-files > in /etc/bind using rfc2136 because /etc is for static configuration > data. But maybe I am wrong. > > Is it the way to go to update Apparmor to make Bind write in /etc/bind > , or is there a better way? > > With regards, > Paul van der Vlis. > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
