why bind9 gives connection refused for permission denied error when it is 777

Question

These questions didn't help:

https://askubuntu.com/questions/172030/how-to-allow-bind-in-app-armor
Cannot start BIND9

I wanted to start bind9 and saw that it gives permission denied in syslog as below:

Feb  8 09:37:24 aname named[27278]: automatic empty zone: A.E.F.IP6.ARPA
Feb  8 09:37:24 aname named[27278]: automatic empty zone: B.E.F.IP6.ARPA
Feb  8 09:37:24 aname named[27278]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Feb  8 09:37:24 aname named[27278]: command channel listening on 127.0.0.1#953
Feb  8 09:37:24 aname named[27278]: command channel listening on ::1#953
Feb  8 09:37:24 aname named[27278]: isc_stdio_open '/var/log/bind9/query.log' failed: permission denied
Feb  8 09:37:24 aname named[27278]: configuring logging: permission denied
Feb  8 09:37:24 aname named[27278]: loading configuration: permission denied
Feb  8 09:37:24 aname named[27278]: exiting (due to fatal error)
Feb  8 09:37:24 aname kernel: [1984823.682079] type=1400 audit(1454924244.439:45): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/log/bind9/query.log" pid=27279 comm="named" requested_mask="c" denied_mask="c" fsuid=109 ouid=0

Why it gives permission error when it is 777?

I thought maybe it is due to zones directory so I checked it too:

4 drwxr-sr-x  2 root root 4096 Feb  7 18:45 zones

I checked zone files by /usr/sbin/named-checkconf but no error printed out on terminal.

content of bind9:

4 -rw-r--r--  1 root root 2389 Jan 18 14:04 bind.keys
4 -rw-r--r--  1 root root  237 Jan 18 14:04 db.0
4 -rw-r--r--  1 root root  271 Jan 18 14:04 db.127
4 -rw-r--r--  1 root root  237 Jan 18 14:04 db.255
4 -rw-r--r--  1 root root  353 Jan 18 14:04 db.empty
4 -rw-r--r--  1 root root  270 Jan 18 14:04 db.local
4 -rw-r--r--  1 root root 3048 Jan 18 14:04 db.root
4 -rw-r--r--  1 root bind  464 Feb  7 17:56 named.conf
4 -rw-r--r--  1 root bind  490 Jan 18 14:04 named.conf.default-zones
4 -rw-r--r--  1 root bind  333 Feb  7 18:47 named.conf.local
4 -rw-r--r--  1 root bind  455 Feb  7 18:33 named.conf.options
4 -rw-r--r--  1 root bind  890 Feb  7 13:22 named.conf.options.bak
4 -rw-r-----  1 bind bind   77 Feb  7 13:22 rndc.key
4 drwxr-sr-x  2 root root 4096 Feb  7 18:45 zones
4 -rw-r--r--  1 root root 1317 Jan 18 14:04 zones.rfc1918

EDIT 2:

ls -las /var/lib/bind/ output:

4 -rw-r--r--  1 root root   53 Feb  7 13:22 bind9-default.md5sum

EDIT 3:
I have apparmor, does that mess with file permissons?

This question almost solved my problem:
https://askubuntu.com/questions/469866/bind-fatal-error-cant-open-custom-log

Some directories were not present so I created them. And path in named.conf.options was wrong, I corrected them to in order to point to a file which exists.

Problem solved!

score 9 · Accepted Answer · answered Feb 08 '16 at 14:29

9

You have the error right there in your output:

Feb  8 09:37:24 aname kernel: [1984823.682079] type=1400 audit(1454924244.439:45): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/log/bind9/query.log" pid=27279 comm="named" requested_mask="c" denied_mask="c" fsuid=109 ouid=0

Add a

/var/log/bind9/query.log rw,

Stanza to /etc/apparmor.d/usr.sbin.named, restart apparmor and bind services, and you're good to go.

And do restore file system permissions to the log file.

answered Feb 08 '16 at 14:29

Petter H

3,383
1
14
18

I just didn't change permission for log file. All the bind folder needed to change plus `/var/cache/bind` folder – Alireza Feb 09 '16 at 06:41
I know this question and answers are a bit old but I needed them so I thought I'd add my contribution to the preferred answer. You don't actually need to add anything to the apparmor file. It already includes an entry permitting bind log files to be in /var/log/named rather than /var/log/bind(9). Obviously this new directory has to have bind.bind ownership; if that's what named is running as. – RobC Sep 23 '20 at 10:05

score 0 · Answer 2 · edited Feb 08 '16 at 14:23

0

Simply change the ownership of the file:

chown bind:bind /var/log/bind9/query.log

edited Feb 08 '16 at 14:23

sebix

4,175
2
25
45

answered Feb 08 '16 at 09:52

user1700494

1,642
2
11
20

Failed again! bind9 does not start. isc_stdio_open '/var/log/bind9/query.log' failed: permission denied – Alireza Feb 08 '16 at 09:53
show output of `ls -lh /var/log/bind9/query.log` – user1700494 Feb 08 '16 at 09:54
-rwxrwxrwx 1 bind bind 0 Feb 7 18:04 /var/log/bind9/query.log – Alireza Feb 08 '16 at 09:57
Please see EDIT2 part, it may help too. – Alireza Feb 08 '16 at 09:59

score 0 · Answer 3 · answered May 08 '17 at 10:04

0

I simply disabled and removed apparmor https://support.plesk.com/hc/en-us/articles/213909965-How-to-disable-AppArmor-

answered May 08 '17 at 10:04

David Okwii

294
5
13

Whilst this may theoretically answer the question, [it would be preferable](//meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Jenny D May 08 '17 at 12:46
But the link doesn't have the answer. The actual answer is disabling Apparmor. I simply provided a link showing show to disable Apparmor which is a different subject all together. – David Okwii May 09 '17 at 14:28

why bind9 gives connection refused for permission denied error when it is 777

3 Answers3