howtos:bind-apparmor
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
Previous revision | |||
— | howtos:bind-apparmor [16/02/2023 07:13] (current) – domingo | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== bind and chroot ===== | ||
+ | |||
+ | Install software: | ||
+ | < | ||
+ | apt-get install bind9 | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | Change bind settings to make it startup in chroot environment: | ||
+ | < | ||
+ | vim / | ||
+ | </ | ||
+ | |||
+ | Change first line to: | ||
+ | < | ||
+ | OPTIONS=" | ||
+ | </ | ||
+ | |||
+ | Create some directories & a link to move /etc/bind to / | ||
+ | |||
+ | < | ||
+ | mkdir -p / | ||
+ | mkdir / | ||
+ | mkdir -p / | ||
+ | mkdir -p / | ||
+ | mv /etc/bind / | ||
+ | ln -s / | ||
+ | mknod / | ||
+ | mknod / | ||
+ | chmod 666 / | ||
+ | chown -R bind:bind / | ||
+ | chown -R bind:bind / | ||
+ | </ | ||
+ | |||
+ | Edit / | ||
+ | < | ||
+ | vim / | ||
+ | </ | ||
+ | |||
+ | Change it to: | ||
+ | < | ||
+ | SYSLOGD=" | ||
+ | </ | ||
+ | |||
+ | On Lucid Lynx you need to this instead: | ||
+ | |||
+ | < | ||
+ | vi / | ||
+ | </ | ||
+ | |||
+ | and add the following line so that we can still get important messages logged to the system logs: | ||
+ | < | ||
+ | $AddUnixListenSocket / | ||
+ | </ | ||
+ | |||
+ | Now edit the (problematic) bind9 apparmor profile: | ||
+ | |||
+ | < | ||
+ | vim / | ||
+ | </ | ||
+ | |||
+ | and change marked lines | ||
+ | |||
+ | < | ||
+ | # Last Modified: Fri Jun 1 16:43:22 2007 | ||
+ | #include < | ||
+ | |||
+ | / | ||
+ | #include < | ||
+ | #include < | ||
+ | |||
+ | capability net_bind_service, | ||
+ | capability setgid, | ||
+ | capability setuid, | ||
+ | capability sys_chroot, | ||
+ | |||
+ | # /etc/bind should be read-only for bind | ||
+ | # / | ||
+ | # / | ||
+ | # See / | ||
+ | #These three lines for chroot environment | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | #chroot end | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | |||
+ | / | ||
+ | / | ||
+ | # / | ||
+ | # support for resolvconf | ||
+ | # / | ||
+ | } | ||
+ | |||
+ | </ | ||
+ | |||
+ | Or use this profile: | ||
+ | < | ||
+ | # Last Modified: Mon Oct 6 20:46:31 2008 | ||
+ | #include < | ||
+ | / | ||
+ | #include < | ||
+ | #include < | ||
+ | #include < | ||
+ | |||
+ | capability net_bind_service, | ||
+ | capability setgid, | ||
+ | capability setuid, | ||
+ | capability sys_chroot, | ||
+ | |||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | then restart services | ||
+ | |||
+ | / | ||
+ | |||
+ | / | ||
+ | |||
+ | / | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
howtos/bind-apparmor.txt · Last modified: 16/02/2023 07:13 by domingo