bind chroot not allowed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: apparmor
I have a custom apparmor profile for /usr/sbin/named which allows chroot. It's attached. With that profile, bind9 fails as follows:
named: chroot(): Permission denied
the reason I suspect an apparmor bug is that if I switch to complain mode and then directly back to enforce mode, it works as follows:
root@newnyx:~# complain /usr/sbin/named ; enforce /usr/sbin/named ; service bind9 start
Setting /usr/sbin/named to complain mode.
Setting /usr/sbin/named to enforce mode.
* Starting domain name service... bind9 [ OK ]
root@newnyx:~#
however, any time I restart apparmor it goes right back to not allowing the chroot.
I have attached both my apparmor conf for named and a strace -f output.
strace -f output...