Re: AppArmor, DHCP, Bind9 issue [SOLVED]

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor, DHCP, Bind9 issue [SOLVED]

Olivier
Hello,

Thank you all for replying !

Thanks to your suggestions, creating an /etc/bind/subdir directory, and tweaking /etc/apparmor.d/usr.sbin.named allowed me to let ISC DHCP update Bind9 entries.

1. I'm hesitant to file a bug on Debian about this.  As this both involves Bind9 and AppArmor, would you say it deserves to be implemented and documented in default Bind9 installation or that it is too specific for this ?

2. If it deserves to to be implemented, how would you name this /etc/bind/subdir directory ?
I personally used "/etc/bind/ddns-zones" but surely there exist alternatives that better describe the purpose of this directory (hosting config that bind9 needs to rewrite) such as :
writable_conf
rw_conf
rwconf

Detailed steps I followed on Debian Buster to work around the issue were:

mkdir /etc/bind/ddns-zones
chown root:bind /etc/bind/ddns-zones
# I don't know if plain  775 better fits. Comments welcome
chmod 2775 /etc/bind/ddns-zones

Adding into /etc/apparmor.d/usr.sbin.named, a line:
/etc/bind/ddns-zones/** rw,

before line
/etc/bind/** r,

Best regards


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor, DHCP, Bind9 issue [SOLVED]

Ondřej Surý

> On 1. 10. 2020, at 17:27, Olivier <[hidden email]> wrote:
>
> 1. I'm hesitant to file a bug on Debian about this.  As this both involves Bind9 and AppArmor, would you say it deserves to be implemented and documented in default Bind9 installation or that it is too specific for this ?

Speaking with my Debian Developer hat - I don’t think there’s a bug in Debian. The default AppArmor rules works
fine for most installations, and there’s a mechanism to extend the rules (from bottom of /etc/apparmor.d/usr.sbin.named):

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.named>

Ondrej
--
Ondřej Surý (He/Him)
[hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor, DHCP, Bind9 issue [SOLVED]

Petr Mensik
In reply to this post by Olivier
Hello Olivier,

On 10/1/20 5:27 PM, Olivier wrote:
> Hello,
>
> Thank you all for replying !
>
> Thanks to your suggestions, creating an /etc/bind/subdir directory, and
> tweaking /etc/apparmor.d/usr.sbin.named allowed me to let ISC DHCP update
> Bind9 entries.
It depends, whether zone data are considered data (and belong to
/var/lib/bind instead), or configuration. When it is updated by named, I
think it is data. And you should just make symlink to /var/lib/bind or
its subdirectory. It is already prepared for that.

Or just use full paths to /var/lib/bind in zone definitions.
>
> 1. I'm hesitant to file a bug on Debian about this.  As this both involves
> Bind9 and AppArmor, would you say it deserves to be implemented and
> documented in default Bind9 installation or that it is too specific for
> this ?
I doubt it. It is documented in /usr/share/doc/bind9/README.Debian,
where should it belong. It clearly states any zone with dynamic updates
should belong to /var/lib/bind.

Of course you can customize it, but then also AppArmor has to be adjusted.
>
> 2. If it deserves to to be implemented, how would you name this
> /etc/bind/subdir directory ?
> I personally used "/etc/bind/ddns-zones" but surely there exist
> alternatives that better describe the purpose of this directory (hosting
> config that bind9 needs to rewrite) such as :
> writable_conf
> rw_conf
> rwconf
just
(cd /etc/bind && ln -s ../../var/lib/bind ddns-zones)
should be enough.

>
> Detailed steps I followed on Debian Buster to work around the issue were:
>
> mkdir /etc/bind/ddns-zones
> chown root:bind /etc/bind/ddns-zones
> # I don't know if plain  775 better fits. Comments welcome
> chmod 2775 /etc/bind/ddns-zones
>
> Adding into /etc/apparmor.d/usr.sbin.named, a line:
> /etc/bind/ddns-zones/** rw,
>
> before line
> /etc/bind/** r,
>
> Best regards
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (499 bytes) Download Attachment