default apparmor setting prevents bind from running under chroot
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: apparmor
Easily reproducible.
1) Fresh minimal install of LTS 8.04 Hardy
2) Install bind9, verify that permissions ARE correct
3) Create the chroot (scroll down to "DNS Server" section of http://
3) Edit /etc/default/bind9 changing this line to this:
OPTIONS="-u bind -t /var/lib/named"
4) Try to start bind. It will complain thusly to syslog:
none:0: open: /etc/bind/
loading configuration: permission denied
exiting (due to fatal error)
To make bind work:
/etc/init.
/etc/init.d/bind9 start
To make it fail:
/etc/init.
/etc/init.d/bind9 restart
Unable to find sufficient documentation on apparmor to discover a workaround, that would be satisfactory as well though the next point release should make this behavior a default; for many years and for many reasons most servers have run bind in a chroot jail.
Eh, that last bit should be
To make it fail: d/apparmor start
/etc/init.
/etc/init.d/bind9 restart