apparmor prevents dynamic dns with dhcp

[p.elsie]

If you enable the "Dynamic DNS Options" on DHCP then then dhcp server will not start. If you run the command "sudo /etc/init.d/dhcp3-server restart" then you'll see some output like:

Can't open /etc/bind/keys: Permission denied

If you then run dmesg you'll get some apparmor details.

The workaround is to add the following to /etc/apparmor.d/usr.sbin.dhcpd3

# Ebox /etc/bind/keys r,

Then you must restart apparmor:

sudo /etc/init.d/apparmor restart

This occurs in Lucid with 1.5.

[anonymous]

I had exactly the same problem and the proposed solution works fine.

I would only add that the # Ebox needs to be on a line of its own and the remaining part, (i.e. /etc/bind/keys r,) needs to be on the following line and all of this needs to be before the last closing brace at the end of the file.

[adrian@…]

Same thing just happened to me. Funny story too, my family is leaving for france _NOW_ and had to access the internet, of course that was not possible without the dhcp server giving the laptop an ip address, so they had to wake me, I'm going to work in 3 hours and have had 2 hours of sleep... basically what I'm saying is, implement the suggested fix ASAP because it works and I'd hate to see anyone else end up in the same situation as me.

[gilles.ebox@…]

FYI, the changes indicated so far are valid as they are necessary to get at least some DNS working. However, my clients were still failing to get local static and dynamic DHCP assignment into the DNS.

Looking at the log I could see I was getting Apparmor error on bind:

[2053937.926743] type=1503 audit(1279377850.479:229): operation="mknod" pid=2386 parent=1 profile="/usr/sbin/named" requested_mask="c::" denied_mask="c::" fsuid=108 ouid=108 name="/etc/bind/db.home.mynet.org.jnl"

Looks like bind has been wrongly configured in the ebox context and put dynamic updates in /etc/bind instead of /var/lib/bind

Now I don't know where to change that (without perhaps affecting ebox as a whole).

So for the moment I have changed the named profileto allow "/etc/bind" to be rw (instead of "r") although this is not ideal (just don't forget to restart apparmor after the change).

[fjbejarano@…]

Hi,

I have the same problem with Zentyal 2.0.1 amd64. I have resolved the proble with the solution of this ticket but I think that this problem needs an automated solution.

Regards

[ejhernandez@…]

(In [18932]) Branch for fixing apparmor with dynamic DNS refs #1917 #1898

[ejhernandez@…]

(In [18933]) NN: Bugfix: Comply apparmor profile by setting the updated dynamic zones under @/var/lib/bind@ directory refs #1917 refs #1898

[ejhernandez@…]

(In [18935]) NN: Two bugfixes to make dynamic DNS work again in Lucid

• Add to apparmor profile the bind keys file to read it
• Comply apparmor profile by setting the pid file as /var/run/dhcp3-server/dhcpd.pid

All refs #1917 and #1898

[ejhernandez@…]

(In [18958]) NN: Merge ejhernandez/dyn-dns-aa branch to make Dynamic DNS work again

This closes #1917 and closes #1898