Op 11-02-19 om 23:49 schreef Bernhard Schmidt: > Am 11.02.19 um 23:32 schrieb Paul van der Vlis: > > Hi Paul, > > please keep the Bug CCed...
Ah, sorry. >>>> I upgraded from Debian9 tot Debian10 (testing). After this, bind did not >>>> start. Syslog says it's AppArmor (see syslog below). >>>> >>>> A work-arround is "aa-complain /usr/sbin/named". >>>> You need the package apparmor-utils for that. >>> >>> Are you using "allow-new-zones" in your bind configuration? >> >> Yes. >> >>> Does adding >>> >>> /var/cache/bind/_default.nzd.lock rwk, >> >> With " rwk," at the end? > > Yes, that means "read write lock", which according to the log you showed > was the denied operation. > >> When I do "aa-enforce /usr/sbin/named", then I cannot start Bind9 anymore. > > Please show the aa denials from your syslog in this case. See below. No string with "apparmor" found, but when I run "aa-complain /usr/sbin/named" it works again. > I'll try to reproduce ASAP as well. ;-) Paul ---------- Feb 11 23:55:14 server named[23092]: mdb_env_open of '_default.nzd' failed: Permission denied Feb 11 23:55:14 server named[23092]: loading configuration: failure Feb 11 23:55:14 server named[23092]: exiting (due to fatal error) Feb 11 23:55:14 server systemd[1]: bind9.service: Control process exited, code=exited, status=1/FAILURE Feb 11 23:55:14 server systemd[1]: bind9.service: Failed with result 'exit-code'. Feb 11 23:55:14 server systemd[1]: Failed to start BIND Domain Name Server. ----------- root@server:~# ls -l /var/cache/bind/_default.nzd -rw------- 1 bind bind 32768 feb 7 12:39 /var/cache/bind/_default.nzd -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/
