Solved

Bind 9 Logging - Ubuntu Hardy Heron server 8.04

Posted on 2008-10-28
7
1,375 Views
Last Modified: 2013-12-23
I have two questions. And, I'm logged in as root as I do this stuff.

One:
I'm trying to setup logging on our DNS server. I have the following msg in syslog. Can somebody clue me in as to what I may need to do to fix it? I'm guessing it has something to do with umask.

kernel: audit : type=1503 operation=inode_permission requested_mask=a:: name=/var/log/query.log pid=5819 profile=/usr/sbin/named namespace=default

named: logging channel query file /var/log/query.log: permission denied


I searched the Linux Questions forum and found a thread about Apparmor being the culprit so I set it to complain mode, restarted named, but no joy.

Here's my logging statement straight out of Ubuntu's documentation.

logging {
channel query.log {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};

category queries { query.log; };
};

ls -al /var/log/query.log
returns
-rw-r--r-- 1 bind bind 0 date time query.log

I've also tried this statement out of Mark Sobell's "A Practical Guide to Ubuntu Linux" book. No joy.
Should either one of these statements work once I have the "permissions denied" problem resolved?

logging {
channel "query" {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};

category queries { "query"; };

};

Two:
Why can't I view the contents of usr.sbin.named?
When I run the cmd "more /etc/usr.sbin.named" it returns "No such file or directory."
ls -al /etc/usr.sbin.named
returns
-rw-r--r-- 1 root root 742 date time usr.sbin.named
0
Comment
Question by:Westez
  • 3
  • 2
7 Comments
 

Author Comment

by:Westez
ID: 22826187
I've determined that Apparmor is the culprint.  No error msg and  I can write to the logs when it's disabled.
I'd prefer to have Apparmor running and protecting named.  How can this be done?
0
 
LVL 1

Expert Comment

by:KMlynarski
ID: 22826706
Hello Westez,

1. query.log problem:

Try this (as root):
(In my example I'm using the vi editor, but you can use any text editor of your choice)

# mkdir /var/log/named
# chown bind:bind /var/log/named
# vi /etc/bind/<name_of-your-config_file_here>

.... replace:

file "/var/log/query.log";

... with:

file "/var/log/named/query.log";

... and save your bind configuration file, and exit the vi.

# /etc/init.d/bind9 restart

... and then, do some queries using dig or any utility like that.

Check if your /var/log/named/query.log shows you something. It really should!

Why? Here's part TWO:

There's a definition in the file: /etc/apparmor.d/usr.sbin.named:

[...]
  # some people like to put logs in /var/log/named/
  /var/log/named/** rw,
[...]

Of course, you (in theory) can change this definition, to point to /var/log... but, you can't view or edit the file, right?

Why? I don't know exactly, but in a clean install of the Ubuntu 8.04 you should have right to see or even edit (as root) this very file. If not, then you may have any weird filesystem flags set on this file. You can check this using the following command (as root):

root@ubuntu:~# lsattr /etc/apparmor.d/

... and the output should be something like that:

------------------ /etc/apparmor.d/abstractions
------------------ /etc/apparmor.d/usr.sbin.cupsd
------------------ /etc/apparmor.d/disable
------------------ /etc/apparmor.d/usr.sbin.named
------------------ /etc/apparmor.d/tunables
------------------ /etc/apparmor.d/force-complain
root@ubuntu:~#

If it isn't (there are any flags visible instead of "-" characters on the left side of the file name, you can use the chattr command to disable the flag (man chattr).

Hope this will be helpful!

Bestest,
 -Chris



0
 

Author Comment

by:Westez
ID: 22835927
Chris,

I built this box from scratch and loaded just dns and ssh and accepted the defaults.  So there's no /var/log/named directory, only /var/log/
And I did edit the usr.sbin.named file and added the line /var/log/** rw,
then restarted bind9. Ran some digs, etc to see if the file was being written to, before I posted up.
And I can view the file query.log, but there's nothing in it to view, with Apparmor running.  If I turn Apparmor off there's a ton of stuff written to it.

I just ran the lsattr /etc/apparmor.d/ cmd and it runs cleanly the way you would expect it to, so no weird file permissions.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 62

Expert Comment

by:gheist
ID: 22867579
BIND in Ubuntu chroot-s so you will need to use syslog or create log file under /var/lib/named/./
0
 

Author Comment

by:Westez
ID: 22868215
gheist - I didn't chroot the setup.
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 22868480
You have to add log directory twice into apparmor.d file.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now