Je teste la possibilit=C3=A9 de mises =C3=A0 jour entre un serveur ISC-DHCP=
et une
instance Bind9, les deux services =C3=A9tant h=C3=A9berg=C3=A9s par la m=C3=
=AAme machine sous
Debian Buster.
J'ai suivi les instructions de [1] mais je rencontre l'erreur :
Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=3D1400
audit(1600697874.163:25): apparmor=3D"DENIED" operation=3D"mknod"
profile=3D"/usr/sbin/named" name=3D"/etc/bind/db.bar.com.jnl" pid=3D1482
comm=3D"isc-worker0000" requested_mask=3D"c" denied_mask=3D"c" fsuid=3D107 =
ouid=3D107
Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create:
permission denied
Le d=C3=A9but du contenu de /etc/apparmor.d/usr.sbin.named est:
# vim:syntax=3Dapparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of
it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# Database file used by allow-new-zones
/var/cache/bind/_default.nzd-lock rwk,
...
Comment autoriser proprement la cr=C3=A9ation des fichiers
/etc/bind/db.bar.com.jnl ?
Suggestions ?
Conseils ?
<div dir=3D"ltr"><div>Bonjour,</div><div><br></div><div>Je teste la possibi=
lit=C3=A9 de mises =C3=A0 jour entre un serveur ISC-DHCP et une instance Bi=
nd9, les deux services =C3=A9tant h=C3=A9berg=C3=A9s par la m=C3=AAme machi=
ne sous Debian Buster.</div><div><br></div><div>J'ai suivi les instruct=
ions de [1] mais je rencontre l'erreur :</div><div>Sep 21 16:17:54 foo =
kernel: [ 8867.630002] audit: type=3D1400 audit(1600697874.163:25): apparmo=
r=3D"DENIED" operation=3D"mknod" profile=3D"/usr/s=
bin/named" name=3D"/etc/bind/db.bar.com.jnl" pid=3D1482 comm=
=3D"isc-worker0000" requested_mask=3D"c" denied_mask=3D=
"c" fsuid=3D107 ouid=3D107<br>Sep 21 16:17:54 foo named[1482]: /e=
tc/bind/db.bar.com.jnl: create: permission denied<br></div><div><br></div><=
div>Le d=C3=A9but du contenu de /etc/apparmor.d/usr.sbin.named est:</div><d=
iv># vim:syntax=3Dapparmor<br># Last Modified: Fri Jun =C2=A01 16:43:22 200=
7<br>#include <tunables/global><br><br>/usr/sbin/named flags=3D(attac=
h_disconnected) {<br>=C2=A0 #include <abstractions/base><br>=C2=A0 #i=
nclude <abstractions/nameservice><br><br>=C2=A0 capability net_bind_s=
ervice,<br>=C2=A0 capability setgid,<br>=C2=A0 capability setuid,<br>=C2=A0=
capability sys_chroot,<br>=C2=A0 capability sys_resource,<br><br>=C2=A0 # =
/etc/bind should be read-only for bind<br>=C2=A0 # /var/lib/bind is for dyn=
amically updated zone (and journal) files.<br>=C2=A0 # /var/cache/bind is f=
or slave/stub data, since we're not the origin of it.<br>=C2=A0 # See /=
usr/share/doc/bind9/README.Debian.gz<br>=C2=A0 /etc/bind/** r,<br>=C2=A0 /v=
ar/lib/bind/** rw,<br>=C2=A0 /var/lib/bind/ rw,<br>=C2=A0 /var/cache/bind/*=
* lrw,<br>=C2=A0 /var/cache/bind/ rw,<br><br>=C2=A0 # Database file used by=
allow-new-zones<br>=C2=A0 /var/cache/bind/_default.nzd-lock rwk,</div><div=
>...</div><div><br></div><div>Comment autoriser proprement la cr=C3=A9ation=
des fichiers /etc/bind/db.bar.com.jnl ?</div><div>Suggestions ?</div><div>=
Conseils ?<br></div><div><br></div><div>[1] <a href=3D"https://wiki.debian.=
org/DDNS">https://wiki.debian.org/DDNS</a></div><div><br></div><div>Slts<br=
></div></div>
