K fixed, interesting that apparmor stuff, don't know if it makes much sense to chroot and use apparmor at the same time ... guess there's no harm either...
So for completeness the complete procedure here
( all as root, if you don't use/have root start every line with sudo )
Code:
apt-get install bind9
/etc/init.d/bind9 stop
/etc/init.d/apparmor stop
vim /etc/default/bind9
change first line to
Code:
OPTIONS="-u bind -t /var/lib/named"
create some directories & a link to move /etc/bind to /var/lib/named/etc/bind, creating null & random devices, fixing permissions
Code:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
edit /etc/default/syslogd
Code:
vim /etc/default/syslogd
> SYSLOGD="-a /var/lib/named/dev/log"
now edit the bind9 apparmor profile
Code:
vim /etc/apparmor.d/usr.sbin.named
and change marked lines
UPDATED
Code:
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
# Dynamic updates needs zone and journal files rw. We just allow rw for all
# in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
/var/lib/named/etc/bind/* rw,
/proc/net/if_inet6 r,
/usr/sbin/named mr,
/var/cache/bind/* rw,
/var/lib/named/var/run/bind/run/named.pid w,
# /var/run/bind/run/named.pid w,
# support for resolvconf
/var/lib/named/var/run/bind/named.options r,
# /var/run/bind/named.options r,
# add also following lines thanks to Spezi2u
/var/lib/named/dev/null rw,
/var/lib/named/dev/random rw,
}
if you happen to put your local zones in a subdirectory of i.e. /etc/bind don't forget to add all dirs into the apparmor file.
Code:
/var/lib/named/etc/bind/zones/* rw,
/var/lib/named/etc/bind/zones/external/* rw,
/var/lib/named/etc/bind/zones/internal/* rw,
then restart services
Code:
/etc/init.d/sysklogd restart
/etc/init.d/apparmor start
/etc/init.d/bind9 start
Bookmarks