[Pkg-dns-devel] Bug#884995: Bug#884995: bind9 doesn't start after upgrade. Complains /var/log/bind.log permission denied

nb nb at dagami.org
Fri Dec 22 16:39:59 UTC 2017 

In fact I had theses lines in /etc/bind/named.conf.options for logging purpose:
logging {
       channel "requetes" {
               file "/var/log/bind.log" size 10m;
               print-time yes;
               print-category yes;
       };
       category queries { "requetes"; };
       category resolver { null; };
};

After removing them bind can start.
There’s no need to let critical level, or even to let the bug open.
I’m going to read docs to see how logging can be done now. I’ve done this a long time ago.

Thanks

> Le 22 déc. 2017 à 17:34, nb <nb at dagami.org> a écrit :
> 
> Hi Bernhard,
> 
>> Le 22 déc. 2017 à 17:20, Bernhard Schmidt <berni at debian.org> a écrit :
>> 
>> Am 22.12.2017 um 16:51 schrieb Noury:
>> 
>> Hello Noury,
>> 
>> thanks for your report.
>> 
>>> When starting bind9, I have error messages and bind doesn't start> Other packages are unusable because they need it (ex exim4 as it's my MTA)
>>> Dec 22 16:28:39 colibri named[26358]: isc_stdio_open '/var/log/bind.log' failed: permission denied
>>> Dec 22 16:28:39 colibri named[26358]: isc_stdio_open '/var/log/bind.log' failed: permission denied
>>> Dec 22 16:28:39 colibri named[26358]: configuring logging: permission denied
>> [...]
>>> Dec 22 16:28:39 colibri kernel: [288377.634631] audit: type=1400 audit(1513956519.915:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/var/log/bind.log" pid=26358 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=110 ouid=110
>>> Dec 22 16:28:39 colibri systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
>>> Dec 22 16:28:39 colibri systemd[1]: bind9.service: Failed with result 'exit-code'.
>> 
>> named does not log to /var/log/bind.log by default, is this somewhere in
>> your configuration ("grep /var/log/bind.log /etc/bind/*")? AppArmor
>> policy for named forbids writing logfiles except for /var/log/named/
> 
> grep gives:
> /etc/bind/named.conf.options:		file "/var/log/bind.log" size 10m;
> 
>> 
>> # some people like to put logs in /var/log/named/ instead of having
>> # syslog do the heavy lifting.
>> /var/log/named/** rw,
>> /var/log/named/ rw,
>> 
>> Please check the AppArmor documentation in the Debian Wiki
>> (https://wiki.debian.org/AppArmor) on how to allow custom paths in the
>> AppArmor profile.
> 
> I’m going to read this.
> Do you have an idea why this begun two days ago.
> I’ve been informed by a monitoring on secondary dns. Zones have not been transferred fir two days.
> 
> Noury
> 
>> 
>> Bernhard

More information about the pkg-dns-devel mailing list