BIND dns server directory permissions for logging

5.14.21-150400.24.11-default x86_64
BIND 9.16.20

After upgrading from 15.3 to 15.4, BIND would not start because of directory permissions for logging. I could not find any useful information about this; all the solutions were “diddle until it works.”

The preferred logging directory (the last one):

ls -l <path>
drwxrwxr-x 1 root       users 104 Feb 25  2018 /data01/
drwxrwxr-x 1 sma-user3x users  94 Jul 17 10:46 /data01/var/
drwxrwxr-x 1 sma-user3x users 118 Jun 16  2021 /data01/var/log/
drwxrwxr-x 1 root       named 984 Jul 30 22:38 /data01/var/log/named/

Designating “/data01/var/log/named/” as the logging directory produced this when starting named:

2022-07-30T22:38:26-0700 sma-server3 named[29968]: stdio.c:27: unexpected error:

2022-07-30T22:38:26-0700 sma-server3 named[29968]: unable to convert errno to isc_result: 30: Read-only file system

2022-07-30T22:38:26-0700 sma-server3 named[29968]: isc_stdio_open '/data01/var/log/named/named.log' failed: unexpected error
2022-07-30T22:38:26-0700 sma-server3 named[29968]: configuring logging: unexpected error
2022-07-30T22:38:26-0700 sma-server3 named[29968]: loading configuration: unexpected error
2022-07-30T22:38:26-0700 sma-server3 named[29968]: exiting (due to fatal error)

named thinks the (previously just fine) directory is read-only.

The default logging directory:

ls -l <path>
drwxr-xr-x 1 root root  234 Mar 23 05:00 /var/
drwxr-xr-x 1 root root 1390 Jul 30 17:33 /var/lib/
drwxrwxr-t 1 root named 390 Jul 30 23:06 /var/lib/named/

I do not understand the permissions rules here. The only difference I see is that the working directory has "drwxrwxr-t ", and the non-working directory has “drwxrwxr-x”.

Is there documentation anywhere that describes this behavior?

Does it work after stopping apparmor?


Apparmor is not an active app. It is not running.

AppArmor is not an app that is running. But if you know better anyway, I am sure you can easily solve your issue without any stupid advices.

In Leap 15.4 there are a lot of new security settings in the systemd unit. ProtectSystem=strict means most of the file system is read only. See man systemd.exec for details.

systemctl cat named 
**# /usr/lib/systemd/system/named.service**
Description=Berkeley Internet Name Domain (DNS) 

ExecStart=/usr/sbin/named -u named $NAMED_ARGS 
ExecReload=/usr/bin/kill -HUP $MAINPID 
**ReadWritePaths=/var/lib/named /run/named /var/log** 

Why are you offended? Is it the word “app?” Should I have said “program?”
You suggested “stopping” apparmor. That implies it may be “running,” therefore an executable entity.

That was it! Thank you.
After adding the extra path, and a “daemon-reload,” named started normally.

But it is running (or not) and it is NOT an executable running as a process.

You may be confused by the the first three letters of the name Apparmor, but those where there ages before the users of hand-held computers (often called “smart-phones” by them) started using the word “app” for everything that does something they consider being magic.

You made a change to /usr/lib/systemd/system/named.service. Preferred way of making changes is running “systemctl edit --full named.service”. This will put the new version in folder /etc/systemd/system.

Modify systemd unit file without altering upstream unit file