BIND DNS server - permission denied

2023-04-12

Debian Linux Networking

I try today change log directory for my new dns BIND server daemon to /var/log/bind whith this bind9 config statement:

/etc/bind/named.conf

logging {
        channel "queries_logging" {
                file "/var/log/bind/queries_logging.log" versions 4 size 20m;
                severity info;
                print-time 1;
                print-severity 1;
                print-category 1;
        };

        category queries { "queries_logging"; };
};

And reload configration with rndc reload failed with this error:

root@ns-dmz:/var/log/bind# rndc reload
rndc: 'reload' failed: permission denied

systemctl command show more details:

root@ns-dmz:/var/log/bind# systemctl status bind9.service
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2020-03-04 14:09:36 CET; 13s ago
     Docs: man:named(8)
  Process: 1046 ExecStart=/usr/sbin/named $OPTIONS (code=exited, status=1/FAILURE)
    Tasks: 0 (limit: 2358)
   Memory: 500.0K
   CGroup: /system.slice/bind9.service

Mar 04 14:09:36 ns-dmz named[1047]: command channel listening on 127.0.0.1#953
Mar 04 14:09:36 ns-dmz named[1047]: configuring command channel from '/etc/bind/rndc.key'
Mar 04 14:09:36 ns-dmz named[1047]: command channel listening on ::1#953
Mar 04 14:09:36 ns-dmz named[1047]: isc_stdio_open '/var/log/bind/queries_logging.log' failed: permission denied
Mar 04 14:09:36 ns-dmz named[1047]: configuring logging: permission denied
Mar 04 14:09:36 ns-dmz systemd[1]: bind9.service: Control process exited, code=exited, status=1/FAILURE
Mar 04 14:09:36 ns-dmz named[1047]: loading configuration: permission denied
Mar 04 14:09:36 ns-dmz systemd[1]: bind9.service: Failed with result 'exit-code'.
Mar 04 14:09:36 ns-dmz named[1047]: exiting (due to fatal error)
Mar 04 14:09:36 ns-dmz systemd[1]: Failed to start BIND Domain Name Server.

And cat /var/log/syslog show that problem is in apparrmor configuration:

root@ns-dmz:/var/log/bind# cat /var/log/syslog
...
Mar  4 14:09:36 ns-dmz named[1047]: configuring command channel from '/etc/bind/rndc.key'
Mar  4 14:09:36 ns-dmz kernel: [ 5334.203179] audit: type=1400 audit(1583327376.725:35): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/log/bind/queries_logging.log" pid=1047 comm="isc-worker0000" requested_mask="ac" denied_mask="ac" fsuid=110 ouid=110
...

Solution

The problem is in apparmor security module. Open /etc/apparmor.d/usr.sbin.named file and you can see this config:

/etc/apparmor.d/usr.sbin.named

# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,

So, you have a 2 solutions.

First, you must change your bind log directory to /var/log/named, or you must extend /etc/apparmor.d/usr.sbin.named apparmor config file to reflect your new bind log directory:

/etc/apparmor.d/usr.sbin.named

# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
# /var/log/named/** rw,
# /var/log/named/ rw,
/var/log/bind/** rw,
/var/log/bind/ rw,

As last step you must restart apparmor module with systemctl restart apparmor.service or with /etc/init.d./apparmor restart and change ownership to bind user for your log files.