[Pkg-dns-devel] Bug#884995: Bug#884995: bind9 doesn't start after upgrade. Complains /var/log/bind.log permission denied

[nb]

Hi Bernhard,

> Le 22 déc. 2017 à 17:20, Bernhard Schmidt <berni at debian.org> a écrit :
> 
> Am 22.12.2017 um 16:51 schrieb Noury:
> 
> Hello Noury,
> 
> thanks for your report.
> 
>> When starting bind9, I have error messages and bind doesn't start> Other packages are unusable because they need it (ex exim4 as it's my MTA)
>> Dec 22 16:28:39 colibri named[26358]: isc_stdio_open '/var/log/bind.log' failed: permission denied
>> Dec 22 16:28:39 colibri named[26358]: isc_stdio_open '/var/log/bind.log' failed: permission denied
>> Dec 22 16:28:39 colibri named[26358]: configuring logging: permission denied
> [...]
>> Dec 22 16:28:39 colibri kernel: [288377.634631] audit: type=1400 audit(1513956519.915:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/var/log/bind.log" pid=26358 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=110 ouid=110
>> Dec 22 16:28:39 colibri systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
>> Dec 22 16:28:39 colibri systemd[1]: bind9.service: Failed with result 'exit-code'.
> 
> named does not log to /var/log/bind.log by default, is this somewhere in
> your configuration ("grep /var/log/bind.log /etc/bind/*")? AppArmor
> policy for named forbids writing logfiles except for /var/log/named/

grep gives:
/etc/bind/named.conf.options:		file "/var/log/bind.log" size 10m;

> 
>  # some people like to put logs in /var/log/named/ instead of having
>  # syslog do the heavy lifting.
>  /var/log/named/** rw,
>  /var/log/named/ rw,
> 
> Please check the AppArmor documentation in the Debian Wiki
> (https://wiki.debian.org/AppArmor) on how to allow custom paths in the
> AppArmor profile.

I’m going to read this.
Do you have an idea why this begun two days ago.
I’ve been informed by a monitoring on secondary dns. Zones have not been transferred fir two days.

Noury

> 
> Bernhard