On 15-Mar-25 18:16, Lee wrote:
On Sat, Mar 15, 2025 at 5:25 PM Danjel Jungersen via bind-users <bind-users@lists.isc.org> wrote:Apparmor was also mentioned, I have no experience with that, and have not changed it in any way (to my knowledge)...On my machine,$ journalctl -l | grep apparmor | grep bind |more shows many lines like Dec 14 08:00:12 spot audit[922]: AVC apparmor="DENIED" operation="mknod" profile="named" name="/etc/bind/db.10.10.2.jbk" pid=922 comm="isc-net-0002" requested_mask="c" denied_mask="c" fsuid=116 ouid=116 Dec 14 08:00:12 spot audit[922]: AVC apparmor="DENIED" operation="mknod" profile="named" name="/etc/bind/db.home.net.jbk" pid=922 comm="isc-net-0003" requested_mask="c" denied_mask="c" fsuid=116 ouid=116 /etc/apparmor.d/usr.sbin.named on my machine has # /etc/bind should be read-only for bind and I'm clearly violating that assumption :( Rather than fix my bind config I fixed the apparmor config. If you go that way remember to do /etc/init.d/apparmor restart to have the new apparmor rules take effect. Regards, Lee
I deal with selinux rather than apparmor, but the principles and pitfalls are the same.
In the long run it's likely to be better to find a suitable named-writable directory for your zone files. Or if your distribution doesn't provide one, file a bug report.
With local policy patches, sooner or later an upgrade/update/configuration (or staff) change will cause an issue. By Murphy's law, at the most inconvenient time.
Treating zone file directories as read-only on "master" ("primary") servers was a reasonable when most zone files were manually edited. With UPDATE, and now more important, DNSSEC signing this isn't (and shouldn't be) nearly as common. The advice to put these files in /etc is out-of-date.
Any distribution that doesn't provide a security policy and directory layout for these configurations is behind the times. So after checking their documentation, file a bug report with them.
However, I'd be surprised if apparmor doesn't provide a suitable directory, since slaves' / secondaries' zone files are always writable...so it may simply be a documentation/default configuration issue.
Note that /etc/bind usually also contains the configurations files (named.conf, named.conf.d, etc). And those SHOULD be read-only for named. So making all of /etc/bind read-write defeats some of the apparmor/selinux protection.
A typical writable location for zone files is /var/named. (Under selinux, zone files are labeled, and whether they can be written is a configuration switch. There should be an apparmor equivalent... )
ISC gave some webinars on "BIND 9 Security" a couple of years ago. https://www.isc.org/blogs/bind-security-webinar-series-2021/ . There's a recording of the one on apparmor that may be helpful. (I haven't watched it, but the ISC webinars are usually well done.)
Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
