• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue Apparmor denied named

K

klowet

Basic Pleskian
Server operating system version
Debian 12
Plesk version and microupdate number
18.0.57 Update #2
Hi

On a new Debian 12 installation, I get this logged into /var/log/messages

kernel: audit: type=1400 audit(1702043600.760:36): apparmor="DENIED" operation="open" profile="named" name="/var/named/run-root/" pid=850 comm="named" requ
ested_mask="r" denied_mask="r" fsuid=104 ouid=0
Click to expand...

Bash: 
# cat /etc/apparmor.d/local/usr.sbin.named
# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.
# chrooted named
/var/named/run-root/** rw,
/var/named/run-root/usr/lib/**/libgost.so rm,

Any ideas?

Thanks
 
Some more information:

Bash: 
# aa-status
apparmor module is loaded.
36 profiles are loaded.
12 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/haveged
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   named
   nvidia_modprobe
   nvidia_modprobe//kmod
24 profiles are in complain mode.
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   identd
   klogd
   mdnsd
   nmbd
   nscd
   php-fpm
   ping
   samba-bgqd
   samba-dcerpcd
   samba-rpcd
   samba-rpcd-classic
   samba-rpcd-spoolss
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslog-ng//null-/usr/bin/dash
   syslog-ng//null-/usr/bin/dash//null-/usr/bin/dash
   syslog-ng//null-/usr/bin/dash//null-/usr/share/syslog-ng/include/scl/getvirtconsole/tty10.sh
   syslogd
   traceroute
0 profiles are in kill mode.
0 profiles are in unconfined mode.
4 processes have profiles defined.
3 processes are in enforce mode.
   /usr/sbin/haveged (527)
   /usr/sbin/dhclient (584) /{,usr/}sbin/dhclient
   /usr/sbin/named (853) named
1 processes are in complain mode.
   /usr/sbin/syslog-ng (874) syslog-ng
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.


On a Debian 11 install, named is running in 'unconfined' mode.
 
I've found a similar issue with a possible fix:

Bind 9 not starting

Hello there, I have a very common issue with bind. I am using plesk 12. It is not starting due to permission issues. /var/log/syslog Jan 27 10:37:31 h1862523 named[2646]: loading configuration from '/etc/named.conf' Jan 27 10:37:31 h1862523 named[2646]: open: /etc/named.conf: permission...
talk.plesk.com talk.plesk.com

I'm unsure if that would work, as I don't use Debian.
 
See https://support.plesk.com/hc/en-us/articles/12377563705623 which at the moment is missing one part (support has been informed).

You need to uncomment the following line in "/etc/apparmor.d/usr.sbin.named":
Code: 
include <local/usr.sbin.named>

Then add the following line to "/etc/apparmor.d/local/usr.sbin.named" (not sure if only "r" instead of "rwm" would be sufficient). The already existing line containing asterisks only works for files within that directory, but not for the directory itself.
Code: 
/var/named/run-root/ rwm,

Now restart AppArmor:
Code: 
service apparmor restart

To test, restart Bind and check the logfile. There should be no new occurences of the error message.
Code: 
service named restart
grep denied /var/log/messages | tail -n1
 
You must log in or register to reply here.

Similar threads

M
Question kenrnel audit messages in syslog
Replies
2
Views
514
Kaspar@Plesk
Kaspar@Plesk
S
Question Fehler audit: type=1400 audit(1701591128.869:160162): apparmor="ALLOWED" operation="sendmsg" profile="php-fpm" name="/run/systemd/notify" pid=448788
Replies
1
Views
1K
Flachzange
F
E
Resolved /etc/named.conf: permission denied
Replies
1
Views
4K
Erwan
E
danami
Forwarded to devs SELinux errors due to ARC mail handler
Replies
2
Views
896
Kaspar@Plesk
Kaspar@Plesk
A
Question Some security questions
Replies
2
Views
1K
amba1980
A
Back
Top