AppArmor, Bind9 et mises à jour par isc-dhcp-server

Le
Olivier
--0000000000009efe3505afd3d9f1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Bonjour,

Je teste la possibilité de mises à jour entre un serveur ISC-DHCP=
et une
instance Bind9, les deux services étant hébergés par la m=
me machine sous
Debian Buster.

J'ai suivi les instructions de [1] mais je rencontre l'erreur :
Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400
audit(1600697874.163:25): apparmor="DENIED" operation="mknod"
profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482
comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 =
ouid=107
Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create:
permission denied

Le début du contenu de /etc/apparmor.d/usr.sbin.named est:
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>

capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,

# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of
it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,

# Database file used by allow-new-zones
/var/cache/bind/_default.nzd-lock rwk,


Comment autoriser proprement la création des fichiers
/etc/bind/db.bar.com.jnl ?
Suggestions ?
Conseils ?

[1] https://wiki.debian.org/DDNS

Slts

--0000000000009efe3505afd3d9f1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir="ltr"><div>Bonjour,</div><div><br></div><div>Je teste la possibi=
lité de mises à jour entre un serveur ISC-DHCP et une instance Bi=
nd9, les deux services étant hébergés par la même machi=
ne sous Debian Buster.</div><div><br></div><div>J&#39;ai suivi les instruct=
ions de [1] mais je rencontre l&#39;erreur :</div><div>Sep 21 16:17:54 foo =
kernel: [ 8867.630002] audit: type=1400 audit(1600697874.163:25): apparmo=
r=&quot;DENIED&quot; operation=&quot;mknod&quot; profile=&quot;/usr/s=
bin/named&quot; name=&quot;/etc/bind/db.bar.com.jnl&quot; pid=1482 comm=
=&quot;isc-worker0000&quot; requested_mask=&quot;c&quot; denied_mask==
&quot;c&quot; fsuid=107 ouid=107<br>Sep 21 16:17:54 foo named[1482]: /e=
tc/bind/db.bar.com.jnl: create: permission denied<br></div><div><br></div><=
div>Le début du contenu de /etc/apparmor.d/usr.sbin.named est:</div><d=
iv># vim:syntax=apparmor<br># Last Modified: Fri Jun  1 16:43:22 200=
7<br>#include &lt;tunables/global&gt;<br><br>/usr/sbin/named flags=(attac=
h_disconnected) {<br>  #include &lt;abstractions/base&gt;<br>  #i=
nclude &lt;abstractions/nameservice&gt;<br><br>  capability net_bind_s=
ervice,<br>  capability setgid,<br>  capability setuid,<br> =
capability sys_chroot,<br>  capability sys_resource,<br><br>  # =
/etc/bind should be read-only for bind<br>  # /var/lib/bind is for dyn=
amically updated zone (and journal) files.<br>  # /var/cache/bind is f=
or slave/stub data, since we&#39;re not the origin of it.<br>  # See /=
usr/share/doc/bind9/README.Debian.gz<br>  /etc/bind/** r,<br>  /v=
ar/lib/bind/** rw,<br>  /var/lib/bind/ rw,<br>  /var/cache/bind/*=
* lrw,<br>  /var/cache/bind/ rw,<br><br>  # Database file used by=
allow-new-zones<br>  /var/cache/bind/_default.nzd-lock rwk,</div><div=
></div><div><br></div><div>Comment autoriser proprement la création=
des fichiers /etc/bind/db.bar.com.jnl ?</div><div>Suggestions ?</div><div>=
Conseils ?<br></div><div><br></div><div>[1] <a href="https://wiki.debian.=
org/DDNS">https://wiki.debian.org/DDNS</a></div><div><br></div><div>Slts<br=
></div></div>

--0000000000009efe3505afd3d9f1--
  • Partager ce contenu :
Vos réponses
Poster une réponse
Anonyme