Applicable to:
- Plesk for Linux
Symptoms
-
Unable to start bind9
-
Errors like the following in the system log
/var/log/syslog:CONFIG_TEXT: named[8362]: loading configuration from '/etc/named.conf'
named[8362]: open: /etc/named.conf: permission denied
named[8362]: loading configuration: permission denied
named[8362]: exiting (due to fatal error)
kernel: [34074.383056] type=1400 audit(1494212104.678:254): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/named/run-root/etc/named.conf" pid=8363 comm="named" requested_mask="r" denied_mask="r" fsuid=107 ouid=0
Cause
AppArmor prevent bind9/named from reading DNS server configuration files
Resolution
-
Connect to the server via SSH
-
Edit file
/etc/apparmor.d/local/usr.sbin.namedfile in any text editor -
Add the following into
/etc/apparmor.d/local/usr.sbin.namedfile:CONFIG_TEXT: /var/named/run-root/** rwm,
-
Ensure that
include <local/usr.sbin.named>directive is not commented with#in/etc/apparmor.d/usr.sbin.named# tail -3 /etc/apparmor.d/usr.sbin.named
# Site-specific additions and overrides. See local/README for details.
include <local/usr.sbin.named>
} -
Reload AppArmor:
# systemctl reload apparmor
-
Start bind9 service:
# systemctl restart bind9
Comments
The better solution is
I've been googling but didn't find this... Until I started opening an issue and used the support's search engine. Instead I found the solution on my own, losing an hour.
But... if the issue is known, why isn't it fixed natively? Couldn't Plesk tweak Apparmor itself upon setting up the chroot version of named?
Please sign in to leave a comment.