for what it's worth, here is my /etc/apparmor.d/local/usr.sbin.named:
/var/bind9/chroot/etc/bind/** r,
/var/bind9/chroot/var/lib/bind/** rw,
/var/bind9/chroot/var/lib/bind/ rw,
/var/bind9/chroot/var/cache/bind/** rw,
/var/bind9/chroot/var/cache/bind/ rw,
/var/bind9/chroot/var/run
poor decision. I have had to totally disable apparmor until i figure out
the profiles.
--
default apparmor setting prevents bind from running under chroot
https://bugs.launchpad.net/bugs/236510
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubun
The apparmor profile contains bind9 in a similar way that the
traditional chrooting does. There is no reason to chroot bind9 on Ubuntu
if you are using the AppArmor profile. The reason why the profile was
developed was so that all bind9 users would benefit from the enhanced
security of running bind
The quote from Falko Timme that was referenced earlier is this:
Falco Timme> "In my opinion you don't need it [AppArmor] to configure a
secure system, and it usually causes more problems than advantages
(think of it after you have done a week of trouble-shooting because some
service wasn't working
People who are chrooting bind should definitely have a bit of
administration knowledge. People who just blindly follow some tutorial
without knowing what's really going on might run into problems with
apparmor. But it's questionable whether those people really should
fiddle about bind then.
Appa
Juergen Kreileder wrote:
> Ah, come on, it's not that hard to configure apparmor for a chrooted
> bind.
That may be but it is enough to make many people disable apparmor
completely rather than bothering to figure out how to make it work.
If you prefer the idea of not running apparmor at all, as
Ah, come on, it's not that hard to configure apparmor for a chrooted
bind. Take a look at syslog to see what apparmor prevented (probably
sys_chroot and a few accesses to files). Running 'aa-logprof' should
help you getting the configuration correct (after that you might want to
remove the lines
And the symlink seems to be the complaint more than the chroot, I am not
sure.
--
default apparmor setting prevents bind from running under chroot
https://bugs.launchpad.net/bugs/236510
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
Eh, that last bit should be
To make it fail:
/etc/init.d/apparmor start
/etc/init.d/bind9 restart
--
default apparmor setting prevents bind from running under chroot
https://bugs.launchpad.net/bugs/236510
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
