我试图在Linux系统pipe理(Adelstein&Lubanovic)中讨论过,在一个Ubuntu机器上,在chroot监狱里运行bind9。 命令“sudo /etc/init.d/bind9 start”在syslog中生成错误:
Jun 27 13:39:48 doli named[12418]: starting BIND 9.5.1-P2 -u bind -t /var/lib/named . . . Jun 27 13:39:48 doli named[12418]: loading configuration from '/etc/bind/named.conf' Jun 27 13:39:48 doli named[12418]: none:0: open: /etc/bind/named.conf: permission denied Jun 27 13:39:48 doli named[12418]: loading configuration: permission denied Jun 27 13:39:48 doli named[12418]: exiting (due to fatal error) Jun 27 13:39:48 doli kernel: [426157.438173] type=1503 audit(1246124388.753:33): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=105 name="/var/lib/named/etc/bind/named.conf" pid=12419 profile="/usr/sbin/named" 服务器configuration如下:
系统日志表明,问题是bind9的进程所有者不能读取configuration文件,但它以root身份启动,并重置为绑定,其中任何一个我都认为应该能够读取configuration。
我在这里错过了什么?
编辑:哎呀,AppArmor,而不是SELinux …
看看/etc/apparmor.d/usr.sbin.named
有一个部分看起来像这样:
/etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** rw, /var/cache/bind/ rw,
我build议事后添加(或者用这个replace):
/var/lib/named/etc/bind/** r, /var/lib/named/var/lib/bind/** rw, /var/lib/named/var/lib/bind/ rw, /var/lib/named/var/cache/bind/** rw, /var/lib/named/var/cache/bind/ rw,