Your message dated Fri, 22 Dec 2017 17:50:36 +0100
with message-id <[email protected]>
and subject line Re: [Pkg-dns-devel] Bug#884995: Bug#884995: bind9 doesn't
start after upgrade. Complains /var/log/bind.log permission denied
has caused the Debian Bug report #884995,
regarding bind9 doesn't start after upgrade. Complains /var/log/bind.log
permission denied
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
884995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884995
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bind9
Version: 1:9.11.2+dfsg-5
Severity: critical
Justification: breaks unrelated software
Dear Maintainer,
When starting bind9, I have error messages and bind doesn't start
Other packages are unusable because they need it (ex exim4 as it's my MTA)
Extract from /var/log/syslog:
=========== begin =================
Dec 22 16:28:39 colibri named[26358]: none:105: 'max-cache-size 90%' - setting
to 1760MB (out of 1955MB)
Dec 22 16:28:39 colibri named[26358]: configuring command channel from
'/etc/bind/rndc.key'
Dec 22 16:28:39 colibri named[26358]: command channel listening on 127.0.0.1#953
Dec 22 16:28:39 colibri named[26358]: configuring command channel from
'/etc/bind/rndc.key'
Dec 22 16:28:39 colibri named[26358]: command channel listening on ::1#953
Dec 22 16:28:39 colibri named[26358]: isc_stdio_open '/var/log/bind.log'
failed: permission denied
Dec 22 16:28:39 colibri named[26358]: isc_stdio_open '/var/log/bind.log'
failed: permission denied
Dec 22 16:28:39 colibri named[26358]: configuring logging: permission denied
Dec 22 16:28:39 colibri named[26358]: loading configuration: permission denied
Dec 22 16:28:39 colibri named[26358]: exiting (due to fatal error)
Dec 22 16:28:39 colibri kernel: [288377.634631] audit: type=1400
audit(1513956519.915:16): apparmor="DENIED" operation="mknod"
profile="/usr/sbin/named" name="/var/log/bind.log" pid=26358
comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=110 ouid=110
Dec 22 16:28:39 colibri systemd[1]: bind9.service: Main process exited,
code=exited, status=1/FAILURE
Dec 22 16:28:39 colibri systemd[1]: bind9.service: Failed with result
'exit-code'.
=========== end =================
Some other informations:
ls -l /var/log/bind.log:
-rw-rw-r-- 1 root bind 10485840 Jul 28 2016 /var/log/bind.log
grep bind /etc/passwd
bind:x:110:116::/var/cache/bind:/bin/false
grep bind /etc/group
bind:x:116:
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.13.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bind9 depends on:
ii adduser 3.116
ii bind9utils 1:9.11.2+dfsg-5
ii debconf [debconf-2.0] 1.5.65
ii libbind9-160 1:9.11.2+dfsg-5
ii libc6 2.25-3
ii libcap2 1:2.25-1.2
ii libcomerr2 1.43.7-1
ii libdns169 1:9.11.2+dfsg-5
ii libgeoip1 1.6.11-3
ii libgssapi-krb5-2 1.15.2-2
ii libirs160 1:9.11.2+dfsg-5
ii libisc166 1:9.11.2+dfsg-5
ii libisccc160 1:9.11.2+dfsg-5
ii libisccfg160 1:9.11.2+dfsg-5
ii libjson-c3 0.12.1-1.2
ii libk5crypto3 1.15.2-2
ii libkrb5-3 1.15.2-2
ii liblwres160 1:9.11.2+dfsg-5
ii libssl1.1 1.1.0g-2
ii libxml2 2.9.4+dfsg1-5.2
ii lsb-base 9.20170808
ii net-tools 1.60+git20161116.90da8a0-1
ii netbase 5.4
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind9-doc <none>
ii dnsutils 1:9.11.2+dfsg-5
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "dagami.org"{
type master;
file "zone/dagami.org";
notify yes;
also-notify{
173.244.206.26; # a.transfer.buddyns.com
217.70.177.40; # ns6.gandi.net
88.198.106.11; # c.ns.buddyns.com
103.6.87.125; # c.ns.buddyns.com
};
allow-transfer {
173.244.206.26; # a.transfer.buddyns.com
88.198.106.11; # c.ns.buddyns.com
108.61.224.67; # buddydns
103.6.87.125; # buddydns
185.136.176.247; # buddydns
217.70.177.40; # ns6.gandi.net
103.6.87.125; # c.ns.buddyns.com
};
allow-update {
127.0.0.1;
51.255.40.59;
};
journal "/var/cache/bind/zone/dagami.org.jnl";
};
zone "dagami.tk"{
type master;
file "zone/dagami.tk";
notify yes;
also-notify{
173.244.206.26; # a.transfer.buddyns.com
88.198.106.11; # c.ns.buddyns.com
};
allow-transfer {
173.244.206.26; # a.transfer.buddyns.com
88.198.106.11; # c.ns.buddyns.com
};
};
zone "1.168.192.IN-ADDR.ARPA"{
type master;
file "zone/192.168.1";
notify no;
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.3.1.0.a.0.0.0.b.c.1.0.a.2.ip6.arpa"{
type master;
file "zone/reverse_ipv6";
notify no;
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.9.4.0.1.0.1.0.0.c.2.5.4.0.a.2.ip6.arpa"{
type master;
file "zone/reverse_ipv6_liteserver";
notify no;
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.2.0.3.0.0.d.1.4.1.0.0.2.ip6.arpa"{
type master;
file "zone/reverse_ipv6_colibri";
notify no;
};
-- debconf information:
bind9/run-resolvconf: false
bind9/start-as-user: bind
bind9/different-configuration-file:
--- End Message ---
--- Begin Message ---
Am 22.12.2017 um 17:39 schrieb nb:
Hi,
> In fact I had theses lines in /etc/bind/named.conf.options for logging
> purpose:
> logging {
> channel "requetes" {
> file "/var/log/bind.log" size 10m;
> print-time yes;
> print-category yes;
> };
> category queries { "requetes"; };
> category resolver { null; };
> };
>
> After removing them bind can start.
> There’s no need to let critical level, or even to let the bug open.
> I’m going to read docs to see how logging can be done now. I’ve done this a
> long time ago.
Thanks for the report, closing this bug.
I'm afraid issues like this will happen a lot with AppArmor policies
finally being enabled, but that's the downside when you make the system
more secure.
Bernhard
--- End Message ---
