BIND dns server directory permissions for logging

VERSION_ID=“15.4”
5.14.21-150400.24.11-default x86_64
BIND 9.16.20

After upgrading from 15.3 to 15.4, BIND would not start because of directory permissions for logging. I could not find any useful information about this; all the solutions were “diddle until it works.”

The preferred logging directory (the last one):

ls -l <path>
drwxrwxr-x 1 root       users 104 Feb 25  2018 /data01/
drwxrwxr-x 1 sma-user3x users  94 Jul 17 10:46 /data01/var/
drwxrwxr-x 1 sma-user3x users 118 Jun 16  2021 /data01/var/log/
drwxrwxr-x 1 root       named 984 Jul 30 22:38 /data01/var/log/named/

Designating “/data01/var/log/named/” as the logging directory produced this when starting named:

2022-07-30T22:38:26-0700 sma-server3 named[29968]: stdio.c:27: unexpected error:

2022-07-30T22:38:26-0700 sma-server3 named[29968]: unable to convert errno to isc_result: 30: Read-only file system

2022-07-30T22:38:26-0700 sma-server3 named[29968]: isc_stdio_open '/data01/var/log/named/named.log' failed: unexpected error
2022-07-30T22:38:26-0700 sma-server3 named[29968]: configuring logging: unexpected error
2022-07-30T22:38:26-0700 sma-server3 named[29968]: loading configuration: unexpected error
2022-07-30T22:38:26-0700 sma-server3 named[29968]: exiting (due to fatal error)

named thinks the (previously just fine) directory is read-only.

The default logging directory:

ls -l <path>
drwxr-xr-x 1 root root  234 Mar 23 05:00 /var/
drwxr-xr-x 1 root root 1390 Jul 30 17:33 /var/lib/
drwxrwxr-t 1 root named 390 Jul 30 23:06 /var/lib/named/

I do not understand the permissions rules here. The only difference I see is that the working directory has "drwxrwxr-t ", and the non-working directory has “drwxrwxr-x”.

Is there documentation anywhere that describes this behavior?

Does it work after stopping apparmor?

aa-teardown

Apparmor is not an active app. It is not running.

AppArmor is not an app that is running. But if you know better anyway, I am sure you can easily solve your issue without any stupid advices.

In Leap 15.4 there are a lot of new security settings in the systemd unit. ProtectSystem=strict means most of the file system is read only. See man systemd.exec for details.


systemctl cat named 
**# /usr/lib/systemd/system/named.service**
[Unit] 
Description=Berkeley Internet Name Domain (DNS) 
After=network.target 
After=time-set.target 
Wants=nss-lookup.target 
Wants=time-set.target 

[Service] 
Type=forking 
KillMode=process 
EnvironmentFile=/etc/sysconfig/named 
ExecStartPre=+/usr/lib/bind/named.prep 
ExecStart=/usr/sbin/named -u named $NAMED_ARGS 
ExecReload=/usr/bin/kill -HUP $MAINPID 
**ProtectSystem=strict** 
**ReadWritePaths=/var/lib/named /run/named /var/log** 
PrivateDevices=yes 
PrivateTmp=yes 
ProtectHome=yes 
ProtectHostname=yes 
ProtectKernelModules=yes 
ProtectKernelTunables=yes 
ProtectKernelLogs=yes 
RestrictNamespaces=yes 
RestrictRealtime=yes 
RestrictSUIDSGID=yes

Why are you offended? Is it the word “app?” Should I have said “program?”
You suggested “stopping” apparmor. That implies it may be “running,” therefore an executable entity.

That was it! Thank you.
After adding the extra path, and a “daemon-reload,” named started normally.

But it is running (or not) and it is NOT an executable running as a process.

You may be confused by the the first three letters of the name Apparmor, but those where there ages before the users of hand-held computers (often called “smart-phones” by them) started using the word “app” for everything that does something they consider being magic.

You made a change to /usr/lib/systemd/system/named.service. Preferred way of making changes is running “systemctl edit --full named.service”. This will put the new version in folder /etc/systemd/system.

Modify systemd unit file without altering upstream unit file