[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNS/apparmor problem

On Aug 14, 2012, at 9:03 AM, Camaleón wrote:

> I may have consufed bind9 with postfix or another server application, but 
> true is that I remember a usual service that came chrooted as a Debian 
> default that I had to un-chroot to make it to work with less headaches.

Yeah. Postfix is chrooted -- it asks me fairly frequently to copy files 
from /etc to where it lives...

> AppArmour is not a variable I would take into account unlsss you manually 
> installed and configured it.

I was just hoping to find a bind config mentioning the file in /etc.

> Debian does not ship AA by default and even 
> if so, no profile is enabled so I would discard a problem coming from 
> here (unless, of course, you did something that trigered the AA 
> installation which enabled a profile...).

It isn't, but a folder and a file got installed in /etc somehow.

> Mmm, master, slave and zone transfers between them?

Frequently. 

> If there's any 
> interelation between both servers it can be indeed an "out of sync" 
> timing issue (remember the error started with "refresh:" operation).

I try to keep an eye on them to see if they get out of sync. 

> Are the time of both servers accurately set (e.g., by means of nntpd)?

Yes. There's a dedicated NTP server on the DMZ to sync all the clocks 
in my nets. (I live in Boulder County, USA, so NIST is just down the 
street -- I have a 10 or 20 ms latency to their atomic clocks.)

>> I edited the AppArmor profile file, but after the errors. 
> 
> Uh? What AA profile? :-?

/etc/apparmor.d/use.sbin.named:

# vim:syntax=apparmor
# Last Modified: Fri Jun  1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
...

Since I've never seen AA, I don't know for sure what an AA profile looks 
like, but I have reason to believe this is one...

> Mmm... AA should be unexistant in your system and of course no service 
> should up and running (if AA is not started, profles are not read and 
> thus not executed, or at least that's how it was at the times I was using 
> openSUSE which had enabled AA by default with some profiles "on").

It doesn't exist, and it's not running. But the named profile exists...

> Well, that's of course something you should discover as soon as possible. 
> AA can be very useful but of course it has to be fine tweaked before 
> because it can cause services from working properly.

Any idea how to do that? From what I've found, AA does look like it might 
do me some good. But it's (allegedly) not here yet.

>> BTW, /etc/apparmor.d/use.sbin.named is the only AppArmor file of any
>> kind I can find on the machine.
> 
> Weird but I'd say harmless unless AA is running.

I'd have thought so too, except that it appeared in /etc somehow and seems 
to affect bind9.

> Anyway, time to run 
> "locate apparmor", juts in case... :-)

root# locate apparmor
-bash: locate: command not found

I've done whereis and which. Both say AA isn't there. And ps says it 
isn't running.

Aptitude doesn't find locate either. Is it part of some package?

-- 
Glenn English
hand-wrapped from my Apple Mail
Reply to: