Issue Apparmor denied named

[klowet]

Server operating system version

Debian 12

Plesk version and microupdate number

18.0.57 Update #2

Hi

On a new Debian 12 installation, I get this logged into /var/log/messages

kernel: audit: type=1400 audit(1702043600.760:36): apparmor="DENIED" operation="open" profile="named" name="/var/named/run-root/" pid=850 comm="named" requ
ested_mask="r" denied_mask="r" fsuid=104 ouid=0

# cat /etc/apparmor.d/local/usr.sbin.named
# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.
# chrooted named
/var/named/run-root/** rw,
/var/named/run-root/usr/lib/**/libgost.so rm,

Any ideas?

Thanks

 

[klowet]

Some more information:

# aa-status
apparmor module is loaded.
36 profiles are loaded.
12 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/haveged
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   named
   nvidia_modprobe
   nvidia_modprobe//kmod
24 profiles are in complain mode.
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   identd
   klogd
   mdnsd
   nmbd
   nscd
   php-fpm
   ping
   samba-bgqd
   samba-dcerpcd
   samba-rpcd
   samba-rpcd-classic
   samba-rpcd-spoolss
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslog-ng//null-/usr/bin/dash
   syslog-ng//null-/usr/bin/dash//null-/usr/bin/dash
   syslog-ng//null-/usr/bin/dash//null-/usr/share/syslog-ng/include/scl/getvirtconsole/tty10.sh
   syslogd
   traceroute
0 profiles are in kill mode.
0 profiles are in unconfined mode.
4 processes have profiles defined.
3 processes are in enforce mode.
   /usr/sbin/haveged (527)
   /usr/sbin/dhclient (584) /{,usr/}sbin/dhclient
   /usr/sbin/named (853) named
1 processes are in complain mode.
   /usr/sbin/syslog-ng (874) syslog-ng
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

On a Debian 11 install, named is running in 'unconfined' mode.

 

[Maarten.]

Does this article help?

https://support.plesk.com/hc/en-us/articles/12388728330903-Domains-are-not-accessible-Bind-is-not-serving-queries-externally-named-open-etc-named-conf-permission-denied

 

[klowet]

Disabling the profile will work for sure. Is there a structural solution for this problem?

 

[Maarten.]

I've found a similar issue with a possible fix:

Bind 9 not starting

Hello there, I have a very common issue with bind. I am using plesk 12. It is not starting due to permission issues. /var/log/syslog Jan 27 10:37:31 h1862523 named[2646]: loading configuration from '/etc/named.conf' Jan 27 10:37:31 h1862523 named[2646]: open: /etc/named.conf: permission...

talk.plesk.com

I'm unsure if that would work, as I don't use Debian.

 

[LarsenD]

See https://support.plesk.com/hc/en-us/articles/12377563705623 which at the moment is missing one part (support has been informed).

You need to uncomment the following line in "/etc/apparmor.d/usr.sbin.named":

include <local/usr.sbin.named>

Then add the following line to "/etc/apparmor.d/local/usr.sbin.named" (not sure if only "r" instead of "rwm" would be sufficient). The already existing line containing asterisks only works for files within that directory, but not for the directory itself.

/var/named/run-root/ rwm,

Now restart AppArmor:

service apparmor restart

To test, restart Bind and check the logfile. There should be no new occurences of the error message.

service named restart
grep denied /var/log/messages | tail -n1