Dear list: I've used the PPA at https://launchpad.net/~isc/+archive/ubuntu/bind to upgrade bind from 9.11.3+dfsg-1ubuntu1.15 (current version for bionic-{updates,security}) to 9.16.16-2+ubuntu18.04.1+isc+1
(I was needing to use the validate-except clause and this new version supports it) After the upgrade, attempting to start the named service failed with this error: Jun 3 22:03:53 top named[19946]: could not configure root hints from '/usr/share/dns/root.hints': permission denied Right below that apparmor logs this: Jun 3 22:03:53 top kernel: [17981.067014] audit: type=1400 audit(1622768633.158:559): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=129 ouid=0 What's puzzling is that the apparmor profile apparently allows the read @ line 36: find /etc/apparmor.d -type f | xargs grep -n '/usr/share/dns' /etc/apparmor.d/usr.sbin.named:36: /usr/share/dns/root.* r, dpkg -S /etc/apparmor.d/usr.sbin.named bind9: /etc/apparmor.d/usr.sbin.named apt-cache policy bind9 bind9: Installed: 1:9.16.16-2+ubuntu18.04.1+isc+1 Candidate: 1:9.16.16-2+ubuntu18.04.1+isc+1 Version table: *** 1:9.16.16-2+ubuntu18.04.1+isc+1 500 500 http://ppa.launchpad.net/isc/bind/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1:9.11.3+dfsg-1ubuntu1.15 500 500 http://mirrors.us.kernel.org/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1:9.11.3+dfsg-1ubuntu1 500 500 http://mirrors.us.kernel.org/ubuntu bionic/main amd64 Packages Although the error appears to not be related to file perms, here's for completeness: ls -la /usr/share/dns total 28 drwxr-xr-x 2 root root 55 dic 13 2019 . drwxr-xr-x 457 root root 12288 jun 3 21:44 .. -rw-r--r-- 1 root root 166 feb 1 2018 root.ds -rw-r--r-- 1 root root 3315 feb 1 2018 root.hints -rw-r--r-- 1 root root 864 feb 1 2018 root.key It helped me to find a previous report at https://lists.isc.org/pipermail/bind-users/2020-July/103454.html And then I ended up solving the problem as Brett did there, by copying /usr/share/dns to /etc/bind/dns and changing the zone definition. Still I am reporting this in case it's affecting someone else, and because maybe you guys have an idea as to what's going on with apparmor here? I'm not very knowledgeable in it and would appreciate any info / help to solve the root cause (and maybe learn something). Thanks in advance full log: Jun 3 22:03:53 top systemd[1]: Started BIND Domain Name Server. Jun 3 22:03:53 top named[19946]: starting BIND 9.16.16-Ubuntu (Stable Release) <id:0c314d8> Jun 3 22:03:53 top named[19946]: running on Linux x86_64 5.6.7-050607-generic #202004230933 SMP Thu Apr 23 09:35:28 UTC 2020 Jun 3 22:03:53 top named[19946]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' ' --libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir =/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxmin ddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-suAN9q/bind9-9.16.16=. -fstack-protector-s trong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Jun 3 22:03:53 top named[19946]: running as: named -f -u bind Jun 3 22:03:53 top named[19946]: compiled by GCC 7.5.0 Jun 3 22:03:53 top named[19946]: compiled with OpenSSL version: OpenSSL 1.1.1 11 Sep 2018 Jun 3 22:03:53 top named[19946]: linked to OpenSSL version: OpenSSL 1.1.1 11 Sep 2018 Jun 3 22:03:53 top named[19946]: compiled with libxml2 version: 2.9.4 Jun 3 22:03:53 top named[19946]: linked to libxml2 version: 20904 Jun 3 22:03:53 top named[19946]: compiled with json-c version: 0.12.1 Jun 3 22:03:53 top named[19946]: linked to json-c version: 0.12.1 Jun 3 22:03:53 top named[19946]: compiled with zlib version: 1.2.11 Jun 3 22:03:53 top named[19946]: linked to zlib version: 1.2.11 Jun 3 22:03:53 top named[19946]: ---------------------------------------------------- Jun 3 22:03:53 top named[19946]: BIND 9 is maintained by Internet Systems Consortium, Jun 3 22:03:53 top named[19946]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Jun 3 22:03:53 top named[19946]: corporation. Support and training for BIND 9 are Jun 3 22:03:53 top named[19946]: available at https://www.isc.org/support Jun 3 22:03:53 top named[19946]: ---------------------------------------------------- Jun 3 22:03:53 top named[19946]: adjusted limit on open files from 4096 to 1048576 Jun 3 22:03:53 top named[19946]: found 12 CPUs, using 12 worker threads Jun 3 22:03:53 top named[19946]: using 12 UDP listeners per interface Jun 3 22:03:53 top named[19946]: using up to 21000 sockets Jun 3 22:03:53 top named[19946]: loading configuration from '/etc/bind/named.conf' Jun 3 22:03:53 top named[19946]: reading built-in trust anchors from file '/etc/bind/bind.keys' Jun 3 22:03:53 top named[19946]: looking for GeoIP2 databases in '/usr/share/GeoIP' Jun 3 22:03:53 top named[19946]: using default UDP/IPv4 port range: [32768, 60999] Jun 3 22:03:53 top named[19946]: using default UDP/IPv6 port range: [32768, 60999] Jun 3 22:03:53 top named[19946]: listening on IPv4 interface lo, 127.0.0.1#53 Jun 3 22:03:53 top named[19946]: generating session key for dynamic DNS Jun 3 22:03:53 top named[19946]: sizing zone task pool based on 25 zones Jun 3 22:03:53 top named[19946]: could not configure root hints from '/usr/share/dns/root.hints': permission denied Jun 3 22:03:53 top named[19946]: loading configuration: permission denied Jun 3 22:03:53 top named[19946]: exiting (due to fatal error) Jun 3 22:03:53 top kernel: [17981.067013] kauditd_printk_skb: 24 callbacks suppressed Jun 3 22:03:53 top kernel: [17981.067014] audit: type=1400 audit(1622768633.158:559): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=129 ouid=0 Jun 3 22:03:53 top systemd[1]: named.service: Main process exited, code=exited, status=1/FAILURE Jun 3 22:03:53 top systemd[1]: named.service: Failed with result 'exit-code'. Jun 3 22:03:53 top systemd[1]: named.service: Service hold-off time over, scheduling restart. Jun 3 22:03:53 top systemd[1]: named.service: Scheduled restart job, restart counter is at 1. Jun 3 22:03:53 top systemd[1]: Stopped BIND Domain Name Server. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users