On 2019-05-15 09:33 -0700, Ross Boylan wrote:
> Sven, thanks for the tip about AppArmor. Yet another presumably
> complicated system I've avoided learning about til now. I guess it's
> time.
>
> As to why bind is trying to open /run/named/named.resolvers: that is a
> customized integration with resolvconf. It is not the default, but it
> is something I want to work. Or I need an alternate way to achieve
> the same functionality, which is that when resolvconf gets info on
> nameservers it passes that on to bind.
I am not really familiar with apparmor or resolvconf, but in
/etc/apparmor.d/usr.sbin.named I found the following:
,----
| # support for resolvconf
| /{,var/}run/named/named.options r,
`----
which suggests that the standard way would be to use
/run/named/named.options rather than /run/named/named.resolvers.
Alternatively, you may put the following line into
/etc/apparmor.d/local/usr.sbin.named:
/{,var/}run/named/named.resolvers r,
Cheers,
Sven
