Re: DNS/apparmor problem

To: <debian-user@lists.debian.org>
Subject: Re: DNS/apparmor problem
From: Glenn English <ghe@slsware.com>
Date: Mon, 13 Aug 2012 15:11:58 -0600
Message-id: <[🔎] 854044BE-D820-4272-BAE7-329BC3DB82F2@slsware.com>
In-reply-to: <[🔎] k0b9ua$9nn$16@dough.gmane.org>
References: <[🔎] 8E1993FA-9F26-4067-8EF8-2AEC8A908BC4@slsware.com> <[🔎] k0b9ua$9nn$16@dough.gmane.org>

On Aug 13, 2012, at 10:27 AM, Camaleón wrote:

> On Sun, 12 Aug 2012 14:19:31 -0600, Glenn English wrote:
> 
>> I started having lots of errors like "refresh: could not set file
>> modification time of '/etc/bind/XXXXX': permisison denied" in syslog
>> from bind9. I found some talking about this at a Ubuntu site, and a
>> little more in README.Debian. And there's a apparmor.d/usr.sbin.named
>> file in /etc. The Ubuntu site tells me that I need to do something to it
>> with a program called aa-complain.
> 
> (...)
> 
> The only thing I can think that can be causing these erros is that by 
> default, and IIRC, Bind9 comes chrooted in Debian

I may be wrong, but I don't think the Debian Bind9 install on lenny is chrooted. 
All its configs are in plain old /etc (the domain files are in /var/cache/bind). 
It's owned and run by user bind, not root, that's all...

> so this setting could  
> trigger "permission denied" errors but on the other hand, for the kind of 
> message ("can't change file modification time") it can be also something 
> related to a syncronization problem between zones, maybe with another 
> server :-?
> 
> How does your DNS server configuration look like?

It looks like a mixture of Webmin and vim editing. Would you like it (them) 
posted? I'd be glad to do that if you do. I've already grep'ed for apparmor. 
It found nothing in /etc/bind/*.

> Are you using a special 
> setup

Define 'special' :-) There are 2 DNS servers on the DMZ. One, non-cacheing, 
non-recursive, limited in the domains it will provide, and running only 
slave zone files, is facing the Internet. The other is wide open and available 
to the LAN and the Internet facing DNS server. All the master zones are on 
the LAN facing server. 

> or did you recently changed something on your side?

Not that I can remember. 

I edited the AppArmor profile file, but after the errors. It said, as best I 
understand it, that everything in /etc/bind was read only by the owner. I 
changed that to rw (because there was a write problem and I thought I'd try 
something trivial), and the errors seem to have stopped (or maybe they just 
haven't started yet today). That makes very little sense to me because the 
files complained about in the logs weren't in /etc/bind. 

If you, or anyone else, has any idea how AppArmor, nary a byte of whose executables 
are on the machine, can have any effect whatsoever, I'd sure like to know about it. 
I hesitate to simply delete the profile file because I don't understand yet what's 
going on -- something put it there and is using it somehow...

BTW, /etc/apparmor.d/use.sbin.named is the only AppArmor file of any kind I can find 
on the machine.

-- 
Glenn English
hand-wrapped from my Apple Mail

Reply to:

Follow-Ups:
- Re: DNS/apparmor problem
  - From: Camaleón <noelamac@gmail.com>

References:
- DNS/apparmor problem
  - From: Glenn English <ghe@slsware.com>
- Re: DNS/apparmor problem
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: Re: strange behavior after reboot, iceweasel locking everything up
Next by Date: No-Script for backports iceweasel?
Previous by thread: Re: DNS/apparmor problem
Next by thread: Re: DNS/apparmor problem
Index(es):
- Date
- Thread