Revert changes to bind log path from apparmor fix
continuous-integration/drone/push Build is passing Details

I realised it wasnt the best idea to change the path we are used to using just for this, so I overwrite the apparmor configuration instead.
This commit is contained in:
Patrick Marchand 2021-03-09 16:58:14 -05:00
parent ffd3ff97f1
commit e5511eafc6
6 changed files with 120 additions and 19 deletions

View File

@ -32,10 +32,11 @@ The **patch** part changes incrementally at each release.
* nagios-nrpe: update check_phpfpm_status.pl & install perl dependencies * nagios-nrpe: update check_phpfpm_status.pl & install perl dependencies
* redis: use /run instead or /var/run * redis: use /run instead or /var/run
* redis: escape password in Munin configuration * redis: escape password in Munin configuration
* bind9: moved logs from /var/log/bind* to /var/log/named/* to fix problems with apparmor
### Fixed ### Fixed
* bind9: added log files to apparmor definition so bind can run
### Removed ### Removed

View File

@ -6,7 +6,6 @@ bind_chroot_set: True
#bind_chroot_path: /var/chroot-bind #bind_chroot_path: /var/chroot-bind
bind_systemd_service_path: /etc/systemd/system/bind9.service bind_systemd_service_path: /etc/systemd/system/bind9.service
bind_statistics_file: /var/run/named.stats bind_statistics_file: /var/run/named.stats
bind_log_folder: /var/log/named bind_log_file: /var/log/bind.log
bind_log_file: "{{ bind_log_folder }}/bind.log" bind_query_file: /var/log/bind_queries.log
bind_query_file: "{{ bind_log_folder }}/bind_queries.log"
bind_cache_dir: /var/cache/bind bind_cache_dir: /var/cache/bind

View File

@ -22,7 +22,7 @@ mkdir -p /var/chroot-bind
mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \ mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
/var/chroot-bind/lib /var/chroot-bind/usr/lib \ /var/chroot-bind/lib /var/chroot-bind/usr/lib \
/var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \ /var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \
/var/chroot-bind/var/log/named /var/chroot-bind/var/run/named/ \ /var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \
/var/chroot-bind/run/named/ /var/chroot-bind/run/named/
# for conf # for conf
@ -32,9 +32,9 @@ if [ ! -h "/etc/bind" ]; then
fi fi
# for logs # for logs
touch /var/chroot-bind/var/log/named/bind.log touch /var/chroot-bind/var/log/bind.log
if [ ! -h "/var/log/named/bind.log" ]; then if [ ! -h "/var/log/bind.log" ]; then
ln -s /var/chroot-bind/var/log/named/bind.log /var/log/named/bind.log ln -s /var/chroot-bind/var/log/bind.log /var/log/bind.log
fi fi
# for pid # for pid

View File

@ -2,6 +2,11 @@
- name: reload systemd - name: reload systemd
command: systemctl daemon-reload command: systemctl daemon-reload
- name: restart apparmor
service:
name: apparmor
state: restarted
- name: restart bind - name: restart bind
service: service:
name: bind9 name: bind9

View File

@ -1,13 +1,23 @@
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths. # Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
- name: set chroot variables - name: set chroot variables
set_fact: set_fact:
bind_log_file: /var/log/named/bind.log bind_log_file: /var/log/bind.log
bind_query_file: /var/log/named/bind_queries.log bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind bind_cache_dir: /var/cache/bind
bind_statistics_file: /var/run/named.stats bind_statistics_file: /var/run/named.stats
bind_chroot_path: /var/chroot-bind bind_chroot_path: /var/chroot-bind
when: bind_chroot_set when: bind_chroot_set
- name: configure apparmor
template:
src: apparmor.usr.sbin.named.j2
dest: /etc/apparmor.d/usr.sbin.named
owner: root
group: root
mode: '0644'
force: yes
notify: restart apparmor
- name: package are installed - name: package are installed
apt: apt:
name: name:
@ -58,15 +68,6 @@
- restart bind - restart bind
when: ansible_distribution_release == "jessie" when: ansible_distribution_release == "jessie"
- name: "create {{ bind_log_folder }} if non chroot"
file:
path: "{{ bind_log_folder }}"
owner: bind
group: adm
mode: "0750"
state: directory
when: not bind_chroot_set
- name: "touch {{ bind_log_file }} if non chroot" - name: "touch {{ bind_log_file }} if non chroot"
file: file:
path: "{{ bind_log_file }}" path: "{{ bind_log_file }}"

View File

@ -0,0 +1,95 @@
# vim:syntax=apparmor
# Last Modified: Tue Mar 9 14:17:50 EST 2021
#include <tunables/global>
/usr/sbin/named flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# Database file used by allow-new-zones
/var/cache/bind/_default.nzd-lock rwk,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
# ssl
/etc/ssl/openssl.cnf r,
# root hints from dns-data-root
/usr/share/dns/root.* r,
# GeoIP data files for GeoIP ACLs
/usr/share/GeoIP/** r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
# Allow changing worker thread names
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{PROC}/sys/net/ipv4/ip_local_port_range r,
/usr/sbin/named mr,
/{,var/}run/named/named.pid w,
/{,var/}run/named/session.key w,
# support for resolvconf
/{,var/}run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
{{ bind_log_file }} rw,
{{ bind_query_file }} rw,
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,
/var/lib/sss/pubconf/krb5.include.d/ r,
/var/lib/sss/mc/initgroups r,
/etc/gss/mech.d/ r,
# ldap
/etc/ldap/ldap.conf r,
/{,var/}run/slapd-*.socket rw,
# dynamic updates
/var/tmp/DNS_* rw,
# dyndb backends
/usr/lib/bind/*.so rm,
# Samba DLZ
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
owner /var/tmp/krb5_* rwk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
}