AppArmor, DHCP, Bind9 issue

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

AppArmor, DHCP, Bind9 issue

Olivier
Hello,

I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5) instance installed on a Debian Buster box.
Both come from Debian stable repo.

I would like my DHCP server to update Bind9 database when leases are allocated to DHCP clients.

I followed instructions from [1].
I then met the following error:
Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400 audit(1600697874.163:25): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create: permission denied

I edited /etc/apparmor.d/usr.sbin.named and it now includes the following content:
 ...
  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  # Next line added to work around apparmor issue
  /etc/bind/*.jnl rw,
  # End of addition
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,
...

Now, /var/log/syslog includes:
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: signer "ddns_update" approved
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' A 192.168.42.104
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' TXT "0097d51fa2194acbea0809316da0885aa0"
Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create: permission denied

ls -l /etc
drwxr-sr-x 2 root     bind      4096 sept. 21 16:01 bind

ls -l /var/cache
drwxrwxr-x  2 root bind 4096 sept. 22 16:25 bind

ls -l /var/cache/bind
lrwxrwxrwx 1 root root  23 sept. 21 14:29 db.192.168.42 -> /etc/bind/db.192.168.42
lrwxrwxrwx 1 root root  29 sept. 21 14:28 db.bar.com -> /etc/bind/db.bar.com
-rw-r--r-- 1 root root   0 sept. 21 16:36 db.bar.com.jnl
...

How can I solve this ?


Best regards

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor, DHCP, Bind9 issue

Mark Andrews
Put the zone file in /var/lib/bind and update named.conf.

-- 
Mark Andrews

On 23 Sep 2020, at 00:43, Olivier <[hidden email]> wrote:


Hello,

I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5) instance installed on a Debian Buster box.
Both come from Debian stable repo.

I would like my DHCP server to update Bind9 database when leases are allocated to DHCP clients.

I followed instructions from [1].
I then met the following error:
Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400 audit(1600697874.163:25): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create: permission denied

I edited /etc/apparmor.d/usr.sbin.named and it now includes the following content:
 ...
  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  # Next line added to work around apparmor issue
  /etc/bind/*.jnl rw,
  # End of addition
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,
...

Now, /var/log/syslog includes:
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: signer "ddns_update" approved
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' A 192.168.42.104
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' TXT "0097d51fa2194acbea0809316da0885aa0"
Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create: permission denied

ls -l /etc
drwxr-sr-x 2 root     bind      4096 sept. 21 16:01 bind

ls -l /var/cache
drwxrwxr-x  2 root bind 4096 sept. 22 16:25 bind

ls -l /var/cache/bind
lrwxrwxrwx 1 root root  23 sept. 21 14:29 db.192.168.42 -> /etc/bind/db.192.168.42
lrwxrwxrwx 1 root root  29 sept. 21 14:28 db.bar.com -> /etc/bind/db.bar.com
-rw-r--r-- 1 root root   0 sept. 21 16:36 db.bar.com.jnl
...

How can I solve this ?


Best regards
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor, DHCP, Bind9 issue

Scott Nicholas
I think that's a good solution.

I edited the config as you did but ended up moving zones into /etc/bind/zones. I guess because Debian already had some littered in /etc/bind but I did not want to give write access to that directory.

I think that is your current issue. Classic permissions. "bind" group missing write access to /etc/bind 

Regards,
Scott

On Tue, Sep 22, 2020, 5:55 PM Mark Andrews <[hidden email]> wrote:
Put the zone file in /var/lib/bind and update named.conf.

-- 
Mark Andrews

On 23 Sep 2020, at 00:43, Olivier <[hidden email]> wrote:


Hello,

I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5) instance installed on a Debian Buster box.
Both come from Debian stable repo.

I would like my DHCP server to update Bind9 database when leases are allocated to DHCP clients.

I followed instructions from [1].
I then met the following error:
Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400 audit(1600697874.163:25): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create: permission denied

I edited /etc/apparmor.d/usr.sbin.named and it now includes the following content:
 ...
  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  # Next line added to work around apparmor issue
  /etc/bind/*.jnl rw,
  # End of addition
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,
...

Now, /var/log/syslog includes:
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: signer "ddns_update" approved
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' A 192.168.42.104
Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' TXT "0097d51fa2194acbea0809316da0885aa0"
Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create: permission denied

ls -l /etc
drwxr-sr-x 2 root     bind      4096 sept. 21 16:01 bind

ls -l /var/cache
drwxrwxr-x  2 root bind 4096 sept. 22 16:25 bind

ls -l /var/cache/bind
lrwxrwxrwx 1 root root  23 sept. 21 14:29 db.192.168.42 -> /etc/bind/db.192.168.42
lrwxrwxrwx 1 root root  29 sept. 21 14:28 db.bar.com -> /etc/bind/db.bar.com
-rw-r--r-- 1 root root   0 sept. 21 16:36 db.bar.com.jnl
...

How can I solve this ?


Best regards
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor, DHCP, Bind9 issue

Petr Mensik
In reply to this post by Olivier
Hi Olivier,

we on Fedora use SELinux, but have similar problem.

I think you should move db.bar.com to /var/lib/bind instead. That means,
copy the file there. Leave symlink in /etc/bind to /var/lib/bind if
necessary. Primary place after dynamic update must be in directory
writable by named. It should not be directory /etc/bind. Keep journal
file in the same directory. It belongs together.

SELinux would keep label on move from /etc/bind to /var/lib/bind. Thats
why I suggest copy it there and then remove original file in /etc/bind.
Might be unnecessary under AppArmor, not sure.

Make sure the zone file is writeable by bind user.
# chgrp bind /var/lib/bind/* && chmod g+w /var/lib/bind/*

I would propose to omit using /var/cache directory for type primary; I
think there should be secondary copies only. As cache directory means it
can be cleaned without data loss. You should backup /var/lib/bind, there
are primary data. They have no source from which they can be fetched
after delete. Secondary zones have that.

I am not sure how AppArmor handles permissions. On SELinux, you would
have to restore contexts shown with ls -Z, by command restorecon -R
/var/lib/bind. Check whether anything similar is required on AppArmor.


Regards,
Petr

On 9/22/20 4:42 PM, Olivier wrote:

> Hello,
>
> I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5)
> instance installed on a Debian Buster box.
> Both come from Debian stable repo.
>
> I would like my DHCP server to update Bind9 database when leases are
> allocated to DHCP clients.
>
> I followed instructions from [1].
> I then met the following error:
> Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400
> audit(1600697874.163:25): apparmor="DENIED" operation="mknod"
> profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482
> comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
> Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create:
> permission denied
>
> I edited /etc/apparmor.d/usr.sbin.named and it now includes the following
> content:
>  ...
>   # /etc/bind should be read-only for bind
>   # /var/lib/bind is for dynamically updated zone (and journal) files.
>   # /var/cache/bind is for slave/stub data, since we're not the origin of
> it.
>   # See /usr/share/doc/bind9/README.Debian.gz
>   # Next line added to work around apparmor issue
>   /etc/bind/*.jnl rw,
>   # End of addition
>   /etc/bind/** r,
>   /var/lib/bind/** rw,
>   /var/lib/bind/ rw,
>   /var/cache/bind/** lrw,
>   /var/cache/bind/ rw,
> ...
>
> Now, /var/log/syslog includes:
> Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key
> ddns_update: signer "ddns_update" approved
> Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key
> ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' A
> 192.168.42.104
> Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key
> ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com'
> TXT "0097d51fa2194acbea0809316da0885aa0"
> Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create:
> permission denied
>
> ls -l /etc
> drwxr-sr-x 2 root     bind      4096 sept. 21 16:01 bind
>
> ls -l /var/cache
> drwxrwxr-x  2 root bind 4096 sept. 22 16:25 bind
>
> ls -l /var/cache/bind
> lrwxrwxrwx 1 root root  23 sept. 21 14:29 db.192.168.42 ->
> /etc/bind/db.192.168.42
> lrwxrwxrwx 1 root root  29 sept. 21 14:28 db.bar.com -> /etc/bind/db.bar.com
> -rw-r--r-- 1 root root   0 sept. 21 16:36 db.bar.com.jnl
> ...
>
> How can I solve this ?
>
> [1] https://wiki.debian.org/DDNS
>
> Best regards
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (499 bytes) Download Attachment