MAAS

Zone files stored in /etc/bind cause apparmor violations

Bug #1046830 reported by Gavin Panella on 2012-09-06

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Won't Fix	Medium	Unassigned

Bug Description

From syslog:

Sep 5 14:33:05 maas named[22389]: dumping master file: /etc/bind/tmp-zajxQt8rRE: open: permission denied
Sep 5 14:33:05 maas kernel: [71497.564744] type=1400 audit(1346851985.249:31): apparmor="DENIED" operation="mknod" parent=1 profile="/
usr/sbin/named" name="/etc/bind/tmp-zajxQt8rRE" pid=22397 comm="named" requested_mask="c" denied_mask="c" fsuid=104 ouid=104

(The "maas" above is the hostname of the machine.)

The comment at http://ubuntuforums.org/showpost.php?p=10707491&postcount=2 hints that the zone file location is used by named(8) when choosing a location to create a temporary file. The apparmor profile for /usr/sbin/named permits read-only access to /etc/bind, but read-write to /var/lib/bind. Moving the zone files there has, thus far, stopped these violations from happening.

Strangely enough, named seems to operate correctly even after butting up against apparmor. I assume it has some fall-back mechanism.

Tags:

Andres Rodriguez (andreserl) on 2016-08-22

Changed in maas:
status:	Triaged → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.