User Tools

Site Tools


howtos:bind-apparmor

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:bind-apparmor [d/m/Y H:i] (current)
Line 1: Line 1:
 +===== bind and chroot =====
 +
 +Install software:
 +<​code>​
 +apt-get install bind9
 +/​etc/​init.d/​bind9 stop
 +/​etc/​init.d/​apparmor stop
 +</​code>​
 +
 +Change bind settings to make it startup in chroot environment:​
 +<​code>​
 +vim /​etc/​default/​bind9
 +</​code>​
 +
 +Change first line to:
 +<​file>​
 +OPTIONS="​-u bind -t /​var/​lib/​named"​
 +</​file>​
 +
 +Create some directories & a link to move /etc/bind to /​var/​lib/​named/​etc/​bind,​ creating null & random devices, fixing permissions:​
 +
 +<​code>​
 +mkdir -p /​var/​lib/​named/​etc
 +mkdir /​var/​lib/​named/​dev
 +mkdir -p /​var/​lib/​named/​var/​cache/​bind
 +mkdir -p /​var/​lib/​named/​var/​run/​bind/​run
 +mv /etc/bind /​var/​lib/​named/​etc
 +ln -s /​var/​lib/​named/​etc/​bind /etc/bind
 +mknod /​var/​lib/​named/​dev/​null c 1 3
 +mknod /​var/​lib/​named/​dev/​random c 1 8
 +chmod 666 /​var/​lib/​named/​dev/​null /​var/​lib/​named/​dev/​random
 +chown -R bind:bind /​var/​lib/​named/​var/​*
 +chown -R bind:bind /​var/​lib/​named/​etc/​bind
 +</​code>​
 +
 +Edit /​etc/​default/​syslogd:​
 +<​code>​
 +vim /​etc/​default/​syslogd
 +</​code>​
 +
 +Change it to:
 +<​file>​
 +SYSLOGD="​-a /​var/​lib/​named/​dev/​log"​
 +</​file>​
 +
 +On Lucid Lynx you need to this instead:
 +
 +<​code>​
 +vi /​etc/​rsyslog.d/​bind-chroot.conf
 +</​code>​
 +
 +and add the following line so that we can still get important messages logged to the system logs:
 +<​file>​
 +$AddUnixListenSocket /​var/​lib/​named/​dev/​log
 +</​file>​
 +
 +Now edit the (problematic) bind9 apparmor profile:
 +
 +<​code>​
 +vim /​etc/​apparmor.d/​usr.sbin.named
 +</​code>​
 +
 +and change marked lines
 +
 +<​file>#​ vim:​syntax=apparmor
 +# Last Modified: Fri Jun  1 16:43:22 2007
 +#include <​tunables/​global>​
 +
 +/​usr/​sbin/​named {
 +  #include <​abstractions/​base>​
 +  #include <​abstractions/​nameservice>​
 +
 +  capability net_bind_service,​
 +  capability setgid,
 +  capability setuid,
 +  capability sys_chroot,
 +
 +  # /etc/bind should be read-only for bind
 +  # /​var/​lib/​bind is for dynamically updated zone (and journal) files.
 +  # /​var/​cache/​bind is for slave/stub data, since we're not the origin of it.
 +  # See /​usr/​share/​doc/​bind9/​README.Debian.gz
 +#These three lines for chroot environment
 +  /​var/​lib/​named/​etc/​bind/​* rw,
 +  /​var/​lib/​named/​var/​run/​bind/​run/​named.pid w,
 +  /​var/​lib/​named/​var/​run/​bind/​named.options r,
 +  /​var/​lib/​named/​etc/​localtime r,
 +  /​var/​lib/​named/​etc/​bind/​named.conf r,
 +  /​var/​lib/​named/​etc/​root.hints r,
 +  /​var/​lib/​named/​etc/​named.run rw,
 +  /​var/​lib/​named/​var/​run/​named.pid rw,
 +  /​var/​lib/​named/​dev/​random r,
 +#chroot end
 +  /​etc/​bind/​** r,
 +  /​var/​lib/​bind/​** rw,
 +  /​var/​cache/​bind/​** rw,
 +
 +  /​proc/​net/​if_inet6 r,
 +  /​usr/​sbin/​named mr,
 + # /​var/​run/​bind/​run/​named.pid w,
 +  # support for resolvconf
 + # /​var/​run/​bind/​named.options r,
 +}
 +
 +</​file>​
 +
 +Or use this profile:
 +<​file>​
 +# Last Modified: Mon Oct  6 20:46:31 2008
 +#include <​tunables/​global>​
 +/​usr/​sbin/​named {
 +  #include <​abstractions/​base>​
 +  #include <​abstractions/​nameservice>​
 +  #include <​abstractions/​nis>​
 +
 +  capability net_bind_service,​
 +  capability setgid,
 +  capability setuid,
 +  capability sys_chroot,
 +
 +  /​usr/​sbin/​named mr,
 +  /​var/​lib/​named/​dev/​random r,
 +  /​var/​lib/​named/​etc/​127.0.0 r,
 +  /​var/​lib/​named/​etc/​bind/​named.conf r,
 +  /​var/​lib/​named/​etc/​bind/​rndc.key r,
 +  /​var/​lib/​named/​etc/​localhost r,
 +  /​var/​lib/​named/​etc/​localtime r,
 +  /​var/​lib/​named/​etc/​named.run a,
 +  /​var/​lib/​named/​etc/​root.hints r,
 +  /​var/​lib/​named/​etc/​sites/​domingo.dk/​forward.zone r,
 +  /​var/​lib/​named/​etc/​sites/​domingo.dk/​reverse.zone r,
 +  /​var/​lib/​named/​var/​run/​named.pid w,
 +}
 +</​file>​
 +
 +then restart services
 +
 +/​etc/​init.d/​sysklogd restart
 +
 +/​etc/​init.d/​apparmor start
 +
 +/​etc/​init.d/​bind9 start
 +
 +
 +
 +
 +
  
howtos/bind-apparmor.txt · Last modified: d/m/Y H:i (external edit)