User Tools

Site Tools


howtos:bind-apparmor

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:bind-apparmor [d/m/Y H:i] (current)
Line 1: Line 1:
 +===== bind and chroot =====
 +
 +Install software:
 +<code>
 +apt-get install bind9
 +/etc/init.d/bind9 stop
 +/etc/init.d/apparmor stop
 +</code>
 +
 +Change bind settings to make it startup in chroot environment:
 +<code>
 +vim /etc/default/bind9
 +</code>
 +
 +Change first line to:
 +<file>
 +OPTIONS="-u bind -t /var/lib/named"
 +</file>
 +
 +Create some directories & a link to move /etc/bind to /var/lib/named/etc/bind, creating null & random devices, fixing permissions:
 +
 +<code>
 +mkdir -p /var/lib/named/etc
 +mkdir /var/lib/named/dev
 +mkdir -p /var/lib/named/var/cache/bind
 +mkdir -p /var/lib/named/var/run/bind/run
 +mv /etc/bind /var/lib/named/etc
 +ln -s /var/lib/named/etc/bind /etc/bind
 +mknod /var/lib/named/dev/null c 1 3
 +mknod /var/lib/named/dev/random c 1 8
 +chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
 +chown -R bind:bind /var/lib/named/var/*
 +chown -R bind:bind /var/lib/named/etc/bind
 +</code>
 +
 +Edit /etc/default/syslogd:
 +<code>
 +vim /etc/default/syslogd
 +</code>
 +
 +Change it to:
 +<file>
 +SYSLOGD="-a /var/lib/named/dev/log"
 +</file>
 +
 +On Lucid Lynx you need to this instead:
 +
 +<code>
 +vi /etc/rsyslog.d/bind-chroot.conf
 +</code>
 +
 +and add the following line so that we can still get important messages logged to the system logs:
 +<file>
 +$AddUnixListenSocket /var/lib/named/dev/log
 +</file>
 +
 +Now edit the (problematic) bind9 apparmor profile:
 +
 +<code>
 +vim /etc/apparmor.d/usr.sbin.named
 +</code>
 +
 +and change marked lines
 +
 +<file># vim:syntax=apparmor
 +# Last Modified: Fri Jun  1 16:43:22 2007
 +#include <tunables/global>
 +
 +/usr/sbin/named {
 +  #include <abstractions/base>
 +  #include <abstractions/nameservice>
 +
 +  capability net_bind_service,
 +  capability setgid,
 +  capability setuid,
 +  capability sys_chroot,
 +
 +  # /etc/bind should be read-only for bind
 +  # /var/lib/bind is for dynamically updated zone (and journal) files.
 +  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
 +  # See /usr/share/doc/bind9/README.Debian.gz
 +#These three lines for chroot environment
 +  /var/lib/named/etc/bind/* rw,
 +  /var/lib/named/var/run/bind/run/named.pid w,
 +  /var/lib/named/var/run/bind/named.options r,
 +  /var/lib/named/etc/localtime r,
 +  /var/lib/named/etc/bind/named.conf r,
 +  /var/lib/named/etc/root.hints r,
 +  /var/lib/named/etc/named.run rw,
 +  /var/lib/named/var/run/named.pid rw,
 +  /var/lib/named/dev/random r,
 +#chroot end
 +  /etc/bind/** r,
 +  /var/lib/bind/** rw,
 +  /var/cache/bind/** rw,
 +
 +  /proc/net/if_inet6 r,
 +  /usr/sbin/named mr,
 + # /var/run/bind/run/named.pid w,
 +  # support for resolvconf
 + # /var/run/bind/named.options r,
 +}
 +
 +</file>
 +
 +Or use this profile:
 +<file>
 +# Last Modified: Mon Oct  6 20:46:31 2008
 +#include <tunables/global>
 +/usr/sbin/named {
 +  #include <abstractions/base>
 +  #include <abstractions/nameservice>
 +  #include <abstractions/nis>
 +
 +  capability net_bind_service,
 +  capability setgid,
 +  capability setuid,
 +  capability sys_chroot,
 +
 +  /usr/sbin/named mr,
 +  /var/lib/named/dev/random r,
 +  /var/lib/named/etc/127.0.0 r,
 +  /var/lib/named/etc/bind/named.conf r,
 +  /var/lib/named/etc/bind/rndc.key r,
 +  /var/lib/named/etc/localhost r,
 +  /var/lib/named/etc/localtime r,
 +  /var/lib/named/etc/named.run a,
 +  /var/lib/named/etc/root.hints r,
 +  /var/lib/named/etc/sites/domingo.dk/forward.zone r,
 +  /var/lib/named/etc/sites/domingo.dk/reverse.zone r,
 +  /var/lib/named/var/run/named.pid w,
 +}
 +</file>
 +
 +then restart services
 +
 +/etc/init.d/sysklogd restart
 +
 +/etc/init.d/apparmor start
 +
 +/etc/init.d/bind9 start
 +
 +
 +
 +
 +
  
howtos/bind-apparmor.txt · Last modified: d/m/Y H:i (external edit)