Bind9 - openssl problem












1















when I try to start bind9; simply fail because of chroot & openssl



/etc/init.d/bind9 start


log messages;



Feb 17 08:26:27 ISTVS2024 named[2440]: initializing DST: openssl failure
Feb 17 08:26:27 ISTVS2024 named[2440]: exiting (due to fatal error)
Feb 17 08:26:27 ISTVS2024 kernel: [ 92.091098] type=1400 audit(1361082387.173:14): apparmor="DENIED" operation="file_mmap" parent=2439 profile="/usr/sbin/named" name="/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=2440 comm="named" requested_mask="m" denied_mask="m" fsuid=108 ouid=0


If I didnt miss a point Apparmor denies it;



my usr.sbin.named file already contains these lines:



/var/named/run-root/** rw,
/var/named/run-root/usr/** rw,


also I can confirm that this file ;



/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so


exist in filesystem.



Literally, I'm stuck, what other options I have, to fix this issue ?



Maybe, removing apparmor completely is a solution, but I didnt wanna do that










share|improve this question



























    1















    when I try to start bind9; simply fail because of chroot & openssl



    /etc/init.d/bind9 start


    log messages;



    Feb 17 08:26:27 ISTVS2024 named[2440]: initializing DST: openssl failure
    Feb 17 08:26:27 ISTVS2024 named[2440]: exiting (due to fatal error)
    Feb 17 08:26:27 ISTVS2024 kernel: [ 92.091098] type=1400 audit(1361082387.173:14): apparmor="DENIED" operation="file_mmap" parent=2439 profile="/usr/sbin/named" name="/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=2440 comm="named" requested_mask="m" denied_mask="m" fsuid=108 ouid=0


    If I didnt miss a point Apparmor denies it;



    my usr.sbin.named file already contains these lines:



    /var/named/run-root/** rw,
    /var/named/run-root/usr/** rw,


    also I can confirm that this file ;



    /var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so


    exist in filesystem.



    Literally, I'm stuck, what other options I have, to fix this issue ?



    Maybe, removing apparmor completely is a solution, but I didnt wanna do that










    share|improve this question

























      1












      1








      1








      when I try to start bind9; simply fail because of chroot & openssl



      /etc/init.d/bind9 start


      log messages;



      Feb 17 08:26:27 ISTVS2024 named[2440]: initializing DST: openssl failure
      Feb 17 08:26:27 ISTVS2024 named[2440]: exiting (due to fatal error)
      Feb 17 08:26:27 ISTVS2024 kernel: [ 92.091098] type=1400 audit(1361082387.173:14): apparmor="DENIED" operation="file_mmap" parent=2439 profile="/usr/sbin/named" name="/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=2440 comm="named" requested_mask="m" denied_mask="m" fsuid=108 ouid=0


      If I didnt miss a point Apparmor denies it;



      my usr.sbin.named file already contains these lines:



      /var/named/run-root/** rw,
      /var/named/run-root/usr/** rw,


      also I can confirm that this file ;



      /var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so


      exist in filesystem.



      Literally, I'm stuck, what other options I have, to fix this issue ?



      Maybe, removing apparmor completely is a solution, but I didnt wanna do that










      share|improve this question














      when I try to start bind9; simply fail because of chroot & openssl



      /etc/init.d/bind9 start


      log messages;



      Feb 17 08:26:27 ISTVS2024 named[2440]: initializing DST: openssl failure
      Feb 17 08:26:27 ISTVS2024 named[2440]: exiting (due to fatal error)
      Feb 17 08:26:27 ISTVS2024 kernel: [ 92.091098] type=1400 audit(1361082387.173:14): apparmor="DENIED" operation="file_mmap" parent=2439 profile="/usr/sbin/named" name="/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=2440 comm="named" requested_mask="m" denied_mask="m" fsuid=108 ouid=0


      If I didnt miss a point Apparmor denies it;



      my usr.sbin.named file already contains these lines:



      /var/named/run-root/** rw,
      /var/named/run-root/usr/** rw,


      also I can confirm that this file ;



      /var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so


      exist in filesystem.



      Literally, I'm stuck, what other options I have, to fix this issue ?



      Maybe, removing apparmor completely is a solution, but I didnt wanna do that







      12.04 bind apparmor openssl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 17 '13 at 6:34









      ubaltaciubaltaci

      10613




      10613






















          2 Answers
          2






          active

          oldest

          votes


















          0














          I had the same problem this morning.



          This guys answer fixed it for me.



          http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems






          share|improve this answer
























          • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

            – fossfreedom
            Mar 7 '13 at 21:40





















          0














          This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



          In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



          mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
          cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


          Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



          More info on how I figured this out here: https://darxus.livejournal.com/329621.html






          share|improve this answer

























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f257209%2fbind9-openssl-problem%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            I had the same problem this morning.



            This guys answer fixed it for me.



            http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems






            share|improve this answer
























            • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

              – fossfreedom
              Mar 7 '13 at 21:40


















            0














            I had the same problem this morning.



            This guys answer fixed it for me.



            http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems






            share|improve this answer
























            • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

              – fossfreedom
              Mar 7 '13 at 21:40
















            0












            0








            0







            I had the same problem this morning.



            This guys answer fixed it for me.



            http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems






            share|improve this answer













            I had the same problem this morning.



            This guys answer fixed it for me.



            http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Mar 7 '13 at 16:17









            webdevericwebdeveric

            1




            1













            • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

              – fossfreedom
              Mar 7 '13 at 21:40





















            • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

              – fossfreedom
              Mar 7 '13 at 21:40



















            Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

            – fossfreedom
            Mar 7 '13 at 21:40







            Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

            – fossfreedom
            Mar 7 '13 at 21:40















            0














            This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



            In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



            mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
            cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


            Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



            More info on how I figured this out here: https://darxus.livejournal.com/329621.html






            share|improve this answer






























              0














              This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



              In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



              mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
              cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


              Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



              More info on how I figured this out here: https://darxus.livejournal.com/329621.html






              share|improve this answer




























                0












                0








                0







                This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



                In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



                mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
                cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


                Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



                More info on how I figured this out here: https://darxus.livejournal.com/329621.html






                share|improve this answer















                This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



                In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



                mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
                cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


                Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



                More info on how I figured this out here: https://darxus.livejournal.com/329621.html







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Feb 5 '15 at 2:05









                muru

                1




                1










                answered Feb 5 '15 at 1:24









                DarxusDarxus

                1




                1






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f257209%2fbind9-openssl-problem%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

                    How to change which sound is reproduced for terminal bell?

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?