DNSSEC transition from manually signed zone to dnssec-policy "standard" failed
Bjørn Mork
bjorn at mork.no
Sat Jun 4 10:36:05 UTC 2022
Mirsad Goran Todorovac <mirsad.todorovac at alu.unizg.hr> writes:
> Apparently, APPARMOR denied opening of the journal file in
> /etc/bind/zones even when the directory hand bind group write
> permissions.
Looking at the default policy in /etc/apparmor.d/usr.sbin.named in the
Debian bind9 package, I see that /etc/bind/ only have read access:
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
You can probably override this with a local policy, but I guess life is
easier if you just go with the flow. If you really want to use
apparmor, that is...
Bjørn
More information about the bind-users
mailing list