明明已经给与bind读写权限了,结果依然报错。
仔细分析日志
--------------------------------------------------------------------------------------------------------
10 10:56:09 DNS-SERVER-UBUNTU named[540]: dumping master file: /etc/bind/zones/tmp-rYrjupIEmc: open: permission denied Jun 10 11:02:06 DNS-SERVER-UBUNTU named[540]: no longer listening on 10.1.1.6#53 Jun 10 11:02:06 DNS-SERVER-UBUNTU named[540]: no longer listening on 2404:f800:8000:122::4#53 Jun 10 11:02:07 DNS-SERVER-UBUNTU named[540]: listening on IPv4 interface eth0, 10.1.1.6#53 Jun 10 11:02:07 DNS-SERVER-UBUNTU named[540]: listening on IPv6 interface eth0, 2404:f800:8000:122::4#53 Jun 10 11:06:18 DNS-SERVER-UBUNTU named[532]: starting BIND 9.18.30-0ubuntu0.22.04.2-Ubuntu (Extended Support Version) <id:> Jun 10 11:06:18 DNS-SERVER-UBUNTU kernel: [ 7.794237] audit: type=1400 audit(1749553573.618:45): apparmor="DENIED" operation="mknod" class="file" profile="named" name="/etc/bind/zones/managed-keys.bind.jnl" pid=532 comm="isc-net-0001" requested_mask="c" denied_mask="c" fsuid=114 ouid=114 Jun 10 11:06:18 DNS-SERVER-UBUNTU kernel: [ 8.471870] audit: type=1400
------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
10 10:56:09 DNS-SERVER-UBUNTU named[540]: dumping master file: /etc/bind/zones/tmp-rYrjupIEmc: open: permission denied Jun 10 11:02:06 DNS-SERVER-UBUNTU named[540]: no longer listening on 10.1.1.6#53 Jun 10 11:02:06 DNS-SERVER-UBUNTU named[540]: no longer listening on 2404:f800:8000:122::4#53 Jun 10 11:02:07 DNS-SERVER-UBUNTU named[540]: listening on IPv4 interface eth0, 10.1.1.6#53 Jun 10 11:02:07 DNS-SERVER-UBUNTU named[540]: listening on IPv6 interface eth0, 2404:f800:8000:122::4#53 Jun 10 11:06:18 DNS-SERVER-UBUNTU named[532]: starting BIND 9.18.30-0ubuntu0.22.04.2-Ubuntu (Extended Support Version) <id:> Jun 10 11:06:18 DNS-SERVER-UBUNTU kernel: [ 7.794237] audit: type=1400 audit(1749553573.618:45): apparmor="DENIED" operation="mknod" class="file" profile="named" name="/etc/bind/zones/managed-keys.bind.jnl" pid=532 comm="isc-net-0001" requested_mask="c" denied_mask="c" fsuid=114 ouid=114 Jun 10 11:06:18 DNS-SERVER-UBUNTU kernel: [ 8.471870] audit: type=1400
------------------------------------------------------------------------------------------------------
发现这台ubuntu22.04的apparmor正在阻止bind创建文件,
解决方法:
sudo vim /etc/apparmor.d/usr.sbin.named
/etc/bind/** r,
修改为
/etc/bind/** rw,
/etc/bind/zones/** rwk,
# 重新载入配置
sudo systemctl reload apparmor
# 重新载入配置
sudo systemctl reload apparmor
sudo systemctl restart named
没有评论:
发表评论