Posted on

How to allow Named/bind9 to write to other directory that blocked by Apparmor

My slave dns server returned error while I tried to add another domain, below example of the error.

kernel: [1239217.411031] type=1503 audit(1309700303.423:12381):
operation="mknod" pid=1692 parent=1 profile="/usr/sbin/named"
requested_mask="c::" denied_mask="c::" fsuid=109 ouid=109
name="/etc/bind/db/in/tmp-ImzPls04Rk"

That’s because named aren’t allowed to write to directory /etc/bind/db/in. To solve this issue, open apparmor profile of named (/etc/apparmor.d/usr.sbin.named), add this line right after ‘/etc/bind/** r,‘ :

/etc/bind/db/** rw,

Restart the apparmor and then restart named.

requested_mask=c:: denied_mask=c::, /etc/apparmor d/usr sbin named, apparmor mknod, requested_mask=c denied_mask=c, profile=/usr/sbin/named requested_mask=c:: denied_mask=c::, denied_mask=c::, apparmor requested_mask c, requested_mask=c::, apparmor requested_mask=c, apparmor bind9