Web lists-archives.com

Re: bind gets permission errors in buster--systemd-related?




On Wed, May 15, 2019 at 10:39 AM Sven Joachim <svenjoac@xxxxxx> wrote:
....
> I am not really familiar with apparmor or resolvconf, but in
> /etc/apparmor.d/usr.sbin.named I found the following:
>
> ,----
> |   # support for resolvconf
> |   /{,var/}run/named/named.options r,
> `----
>
> which suggests that the standard way would be to use
> /run/named/named.options rather than /run/named/named.resolvers.
> Alternatively, you may put the following line into
> /etc/apparmor.d/local/usr.sbin.named:
>
>   /{,var/}run/named/named.resolvers r,

Yep.  Not only that, but just below that is
  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,
so if I switch my logs to there (and rename the directory), instead of
/var/log/bind,
 the logging should work too.  Or I could add apparmor entries for
/var/log/bind.

I'm still trying to figure out what, if anything, is necessary for
revised apparmor settings to take effect.

Thanks.