FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-12-2012, 08:19 PM
Glenn English
 
Default DNS/apparmor problem

Lenny, updated until the end.

I started having lots of errors like "refresh: could not set file modification time of '/etc/bind/XXXXX': permisison denied" in syslog from bind9. I found some talking about this at a Ubuntu site, and a little more in README.Debian. And there's a apparmor.d/usr.sbin.named file in /etc. The Ubuntu site tells me that I need to do something to it with a program called aa-complain.

As far as I can tell, there's not supposed to be any apparmor on Debian until wheezy. Man/apropos says nothing about anything having to do with apparmor, I can't find anything that looks like bind9 is using it, and there is no aa-complain on the computer. Just the named profile file in /etc. But somehow, it's significantly bent bind9.

Does anybody know anything about this? What's this file doing in /etc? Where did it come from? How is it doing anything with no program(s)?

--
Glenn English




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 8E1993FA-9F26-4067-8EF8-2AEC8A908BC4@slsware.com">http://lists.debian.org/8E1993FA-9F26-4067-8EF8-2AEC8A908BC4@slsware.com
 
Old 08-13-2012, 04:27 PM
Camaleón
 
Default DNS/apparmor problem

On Sun, 12 Aug 2012 14:19:31 -0600, Glenn English wrote:

> Lenny, updated until the end.
>
> I started having lots of errors like "refresh: could not set file
> modification time of '/etc/bind/XXXXX': permisison denied" in syslog
> from bind9. I found some talking about this at a Ubuntu site, and a
> little more in README.Debian. And there's a apparmor.d/usr.sbin.named
> file in /etc. The Ubuntu site tells me that I need to do something to it
> with a program called aa-complain.

(...)

The only thing I can think that can be causing these erros is that by
default, and IIRC, Bind9 comes chrooted in Debian so this setting could
trigger "permission denied" errors but on the other hand, for the kind of
message ("can't change file modification time") it can be also something
related to a syncronization problem between zones, maybe with another
server :-?

How does your DNS server configuration look like? Are you using a special
setup or did you recently changed something on your side?

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/k0b9ua$9nn$16@dough.gmane.org
 
Old 08-13-2012, 09:11 PM
Glenn English
 
Default DNS/apparmor problem

On Aug 13, 2012, at 10:27 AM, Camaleón wrote:

> On Sun, 12 Aug 2012 14:19:31 -0600, Glenn English wrote:
>
>> I started having lots of errors like "refresh: could not set file
>> modification time of '/etc/bind/XXXXX': permisison denied" in syslog
>> from bind9. I found some talking about this at a Ubuntu site, and a
>> little more in README.Debian. And there's a apparmor.d/usr.sbin.named
>> file in /etc. The Ubuntu site tells me that I need to do something to it
>> with a program called aa-complain.
>
> (...)
>
> The only thing I can think that can be causing these erros is that by
> default, and IIRC, Bind9 comes chrooted in Debian

I may be wrong, but I don't think the Debian Bind9 install on lenny is chrooted.
All its configs are in plain old /etc (the domain files are in /var/cache/bind).
It's owned and run by user bind, not root, that's all...

> so this setting could
> trigger "permission denied" errors but on the other hand, for the kind of
> message ("can't change file modification time") it can be also something
> related to a syncronization problem between zones, maybe with another
> server :-?
>
> How does your DNS server configuration look like?

It looks like a mixture of Webmin and vim editing. Would you like it (them)
posted? I'd be glad to do that if you do. I've already grep'ed for apparmor.
It found nothing in /etc/bind/*.

> Are you using a special
> setup

Define 'special' :-) There are 2 DNS servers on the DMZ. One, non-cacheing,
non-recursive, limited in the domains it will provide, and running only
slave zone files, is facing the Internet. The other is wide open and available
to the LAN and the Internet facing DNS server. All the master zones are on
the LAN facing server.

> or did you recently changed something on your side?

Not that I can remember.

I edited the AppArmor profile file, but after the errors. It said, as best I
understand it, that everything in /etc/bind was read only by the owner. I
changed that to rw (because there was a write problem and I thought I'd try
something trivial), and the errors seem to have stopped (or maybe they just
haven't started yet today). That makes very little sense to me because the
files complained about in the logs weren't in /etc/bind.

If you, or anyone else, has any idea how AppArmor, nary a byte of whose executables
are on the machine, can have any effect whatsoever, I'd sure like to know about it.
I hesitate to simply delete the profile file because I don't understand yet what's
going on -- something put it there and is using it somehow...

BTW, /etc/apparmor.d/use.sbin.named is the only AppArmor file of any kind I can find
on the machine.

--
Glenn English
hand-wrapped from my Apple Mail




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 854044BE-D820-4272-BAE7-329BC3DB82F2@slsware.com">http://lists.debian.org/854044BE-D820-4272-BAE7-329BC3DB82F2@slsware.com
 
Old 08-14-2012, 03:03 PM
Camaleón
 
Default DNS/apparmor problem

On Mon, 13 Aug 2012 15:11:58 -0600, Glenn English wrote:

> On Aug 13, 2012, at 10:27 AM, Camaleón wrote:

>> The only thing I can think that can be causing these erros is that by
>> default, and IIRC, Bind9 comes chrooted in Debian
>
> I may be wrong, but I don't think the Debian Bind9 install on lenny is
> chrooted. All its configs are in plain old /etc (the domain files are in
> /var/cache/bind). It's owned and run by user bind, not root, that's
> all...

I may have consufed bind9 with postfix or another server application, but
true is that I remember a usual service that came chrooted as a Debian
default that I had to un-chroot to make it to work with less headaches.

Okay, let's assume then that your Bind9 installation is not being run
inside a jail :-)

>> How does your DNS server configuration look like?
>
> It looks like a mixture of Webmin and vim editing. Would you like it
> (them) posted? I'd be glad to do that if you do. I've already grep'ed
> for apparmor. It found nothing in /etc/bind/*.

AppArmour is not a variable I would take into account unlsss you manually
installed and configured it. Debian does not ship AA by default and even
if so, no profile is enabled so I would discard a problem coming from
here (unless, of course, you did something that trigered the AA
installation which enabled a profile...).

>> Are you using a special
>> setup
>
> Define 'special' :-)

"Special" is a configuration which differs from the default package
install which simply enables a local DNS caching server for the host and
usually works out of the box with no more tweaks :-)

> There are 2 DNS servers on the DMZ. One, non-cacheing, non-recursive,
> limited in the domains it will provide, and running only slave zone
> files, is facing the Internet. The other is wide open and available to
> the LAN and the Internet facing DNS server. All the master zones are on
> the LAN facing server.

Mmm, master, slave and zone transfers between them? If there's any
interelation between both servers it can be indeed an "out of sync"
timing issue (remember the error started with "refresh:" operation).

Are the time of both servers accurately set (e.g., by means of nntpd)?

>> or did you recently changed something on your side?
>
> Not that I can remember.
>
> I edited the AppArmor profile file, but after the errors.

Uh? What AA profile? :-?

> It said, as best I understand it, that everything in /etc/bind was read
> only by the owner. I changed that to rw (because there was a write
> problem and I thought I'd try something trivial), and the errors seem
> to have stopped (or maybe they just haven't started yet today). That
> makes very little sense to me because the files complained about in the
> logs weren't in /etc/bind.

Mmm... AA should be unexistant in your system and of course no service
should up and running (if AA is not started, profles are not read and
thus not executed, or at least that's how it was at the times I was using
openSUSE which had enabled AA by default with some profiles "on").

> If you, or anyone else, has any idea how AppArmor, nary a byte of whose
> executables are on the machine, can have any effect whatsoever, I'd sure
> like to know about it. I hesitate to simply delete the profile file
> because I don't understand yet what's going on -- something put it there
> and is using it somehow...

Well, that's of course something you should discover as soon as possible.
AA can be very useful but of course it has to be fine tweaked before
because it can cause services from working properly.

> BTW, /etc/apparmor.d/use.sbin.named is the only AppArmor file of any
> kind I can find on the machine.

Weird but I'd say harmless unless AA is running. Anyway, time to run
"locate apparmor", juts in case... :-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/k0dpbb$vu0$8@dough.gmane.org
 
Old 08-14-2012, 03:55 PM
Glenn English
 
Default DNS/apparmor problem

On Aug 14, 2012, at 9:03 AM, Camaleón wrote:

> I may have consufed bind9 with postfix or another server application, but
> true is that I remember a usual service that came chrooted as a Debian
> default that I had to un-chroot to make it to work with less headaches.

Yeah. Postfix is chrooted -- it asks me fairly frequently to copy files
from /etc to where it lives...

> AppArmour is not a variable I would take into account unlsss you manually
> installed and configured it.

I was just hoping to find a bind config mentioning the file in /etc.

> Debian does not ship AA by default and even
> if so, no profile is enabled so I would discard a problem coming from
> here (unless, of course, you did something that trigered the AA
> installation which enabled a profile...).

It isn't, but a folder and a file got installed in /etc somehow.

> Mmm, master, slave and zone transfers between them?

Frequently.

> If there's any
> interelation between both servers it can be indeed an "out of sync"
> timing issue (remember the error started with "refresh:" operation).

I try to keep an eye on them to see if they get out of sync.

> Are the time of both servers accurately set (e.g., by means of nntpd)?

Yes. There's a dedicated NTP server on the DMZ to sync all the clocks
in my nets. (I live in Boulder County, USA, so NIST is just down the
street -- I have a 10 or 20 ms latency to their atomic clocks.)

>> I edited the AppArmor profile file, but after the errors.
>
> Uh? What AA profile? :-?

/etc/apparmor.d/use.sbin.named:

# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
...

Since I've never seen AA, I don't know for sure what an AA profile looks
like, but I have reason to believe this is one...

> Mmm... AA should be unexistant in your system and of course no service
> should up and running (if AA is not started, profles are not read and
> thus not executed, or at least that's how it was at the times I was using
> openSUSE which had enabled AA by default with some profiles "on").

It doesn't exist, and it's not running. But the named profile exists...

> Well, that's of course something you should discover as soon as possible.
> AA can be very useful but of course it has to be fine tweaked before
> because it can cause services from working properly.

Any idea how to do that? From what I've found, AA does look like it might
do me some good. But it's (allegedly) not here yet.

>> BTW, /etc/apparmor.d/use.sbin.named is the only AppArmor file of any
>> kind I can find on the machine.
>
> Weird but I'd say harmless unless AA is running.

I'd have thought so too, except that it appeared in /etc somehow and seems
to affect bind9.

> Anyway, time to run
> "locate apparmor", juts in case... :-)

root# locate apparmor
-bash: locate: command not found

I've done whereis and which. Both say AA isn't there. And ps says it
isn't running.

Aptitude doesn't find locate either. Is it part of some package?

--
Glenn English
hand-wrapped from my Apple Mail




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: F57AD166-C9D5-47DF-8024-58A92EBE909F@slsware.com">http://lists.debian.org/F57AD166-C9D5-47DF-8024-58A92EBE909F@slsware.com
 
Old 08-14-2012, 04:29 PM
Camaleón
 
Default DNS/apparmor problem

On Tue, 14 Aug 2012 09:55:01 -0600, Glenn English wrote:

> On Aug 14, 2012, at 9:03 AM, Camaleón wrote:

(...)

>> Debian does not ship AA by default and even if so, no profile is
>> enabled so I would discard a problem coming from here (unless, of
>> course, you did something that trigered the AA installation which
>> enabled a profile...).
>
> It isn't, but a folder and a file got installed in /etc somehow.

Mmm... the file seems coming from bind9 package itself so I wound't
bother and while AA is not installed/executed, there should be no problem.

>> Mmm, master, slave and zone transfers between them?
>
> Frequently.

Then the error could be generated by this. Are the bind9 logs holding
more data or just the succint message you posted before?

>> If there's any
>> interelation between both servers it can be indeed an "out of sync"
>> timing issue (remember the error started with "refresh:" operation).
>
> I try to keep an eye on them to see if they get out of sync.

The "refresh" is very suspicius.

>> Are the time of both servers accurately set (e.g., by means of nntpd)?
>
> Yes. There's a dedicated NTP server on the DMZ to sync all the clocks in
> my nets. (I live in Boulder County, USA, so NIST is just down the street
> -- I have a 10 or 20 ms latency to their atomic clocks.)

Then time should be fine.

>>> I edited the AppArmor profile file, but after the errors.
>>
>> Uh? What AA profile? :-?
>
> /etc/apparmor.d/use.sbin.named:

(...)

I would forget about this file (also AA) as it seems to be normal to have
it installed and there's no other trace of AA in your system. Also, if
you edited something, restore to its defaults.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/k0due7$vu0$11@dough.gmane.org
 

Thread Tools




All times are GMT. The time now is 11:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org