Bind9 - openssl problem












1















when I try to start bind9; simply fail because of chroot & openssl



/etc/init.d/bind9 start


log messages;



Feb 17 08:26:27 ISTVS2024 named[2440]: initializing DST: openssl failure

Feb 17 08:26:27 ISTVS2024 named[2440]: exiting (due to fatal error)

Feb 17 08:26:27 ISTVS2024 kernel: [   92.091098] type=1400 audit(1361082387.173:14): apparmor="DENIED" operation="file_mmap" parent=2439 profile="/usr/sbin/named" name="/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=2440 comm="named" requested_mask="m" denied_mask="m" fsuid=108 ouid=0


If I didnt miss a point Apparmor denies it;



my usr.sbin.named file already contains these lines:



/var/named/run-root/** rw,

/var/named/run-root/usr/** rw,


also I can confirm that this file ;



/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so


exist in filesystem.



Literally, I'm stuck, what other options I have, to fix this issue ?



Maybe, removing apparmor completely is a solution, but I didnt wanna do that






12.04 bind apparmor openssl







share|improve this question



























    1















    when I try to start bind9; simply fail because of chroot & openssl



    /etc/init.d/bind9 start


    log messages;



    Feb 17 08:26:27 ISTVS2024 named[2440]: initializing DST: openssl failure
    
Feb 17 08:26:27 ISTVS2024 named[2440]: exiting (due to fatal error)
    
Feb 17 08:26:27 ISTVS2024 kernel: [   92.091098] type=1400 audit(1361082387.173:14): apparmor="DENIED" operation="file_mmap" parent=2439 profile="/usr/sbin/named" name="/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=2440 comm="named" requested_mask="m" denied_mask="m" fsuid=108 ouid=0


    If I didnt miss a point Apparmor denies it;



    my usr.sbin.named file already contains these lines:



    /var/named/run-root/** rw,
    
/var/named/run-root/usr/** rw,


    also I can confirm that this file ;



    /var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so


    exist in filesystem.



    Literally, I'm stuck, what other options I have, to fix this issue ?



    Maybe, removing apparmor completely is a solution, but I didnt wanna do that






    12.04 bind apparmor openssl







    share|improve this question

























      1












      1








      1








      when I try to start bind9; simply fail because of chroot & openssl



      /etc/init.d/bind9 start


      log messages;



      Feb 17 08:26:27 ISTVS2024 named[2440]: initializing DST: openssl failure
      
Feb 17 08:26:27 ISTVS2024 named[2440]: exiting (due to fatal error)
      
Feb 17 08:26:27 ISTVS2024 kernel: [   92.091098] type=1400 audit(1361082387.173:14): apparmor="DENIED" operation="file_mmap" parent=2439 profile="/usr/sbin/named" name="/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=2440 comm="named" requested_mask="m" denied_mask="m" fsuid=108 ouid=0


      If I didnt miss a point Apparmor denies it;



      my usr.sbin.named file already contains these lines:



      /var/named/run-root/** rw,
      
/var/named/run-root/usr/** rw,


      also I can confirm that this file ;



      /var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so


      exist in filesystem.



      Literally, I'm stuck, what other options I have, to fix this issue ?



      Maybe, removing apparmor completely is a solution, but I didnt wanna do that






      12.04 bind apparmor openssl







      share|improve this question














      when I try to start bind9; simply fail because of chroot & openssl



      /etc/init.d/bind9 start


      log messages;



      Feb 17 08:26:27 ISTVS2024 named[2440]: initializing DST: openssl failure
      
Feb 17 08:26:27 ISTVS2024 named[2440]: exiting (due to fatal error)
      
Feb 17 08:26:27 ISTVS2024 kernel: [   92.091098] type=1400 audit(1361082387.173:14): apparmor="DENIED" operation="file_mmap" parent=2439 profile="/usr/sbin/named" name="/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=2440 comm="named" requested_mask="m" denied_mask="m" fsuid=108 ouid=0


      If I didnt miss a point Apparmor denies it;



      my usr.sbin.named file already contains these lines:



      /var/named/run-root/** rw,
      
/var/named/run-root/usr/** rw,


      also I can confirm that this file ;



      /var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so


      exist in filesystem.



      Literally, I'm stuck, what other options I have, to fix this issue ?



      Maybe, removing apparmor completely is a solution, but I didnt wanna do that






      12.04 bind apparmor openssl




      12.04 bind apparmor openssl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 17 '13 at 6:34









      ubaltaciubaltaci

      10613




      10613






















          2 Answers
          2






          active

          oldest

          votes


















          0














          I had the same problem this morning.



          This guys answer fixed it for me.



          http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems






          share|improve this answer
























          • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

            – fossfreedom
            Mar 7 '13 at 21:40





















          0














          This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



          In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



          mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
          
cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


          Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



          More info on how I figured this out here: https://darxus.livejournal.com/329621.html






          share|improve this answer

























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f257209%2fbind9-openssl-problem%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            I had the same problem this morning.



            This guys answer fixed it for me.



            http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems






            share|improve this answer
























            • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

              – fossfreedom
              Mar 7 '13 at 21:40


















            0














            I had the same problem this morning.



            This guys answer fixed it for me.



            http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems






            share|improve this answer
























            • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

              – fossfreedom
              Mar 7 '13 at 21:40
















            0












            0








            0







            I had the same problem this morning.



            This guys answer fixed it for me.



            http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems






            share|improve this answer













            I had the same problem this morning.



            This guys answer fixed it for me.



            http://www.failover.co/blog/plesk-11-bind9-and-ubuntu-12-04-apparmor-problems







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Mar 7 '13 at 16:17









            webdevericwebdeveric

            1




            1













            • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

              – fossfreedom
              Mar 7 '13 at 21:40





















            • Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

              – fossfreedom
              Mar 7 '13 at 21:40



















            Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

            – fossfreedom
            Mar 7 '13 at 21:40







            Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

            – fossfreedom
            Mar 7 '13 at 21:40















            0














            This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



            In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



            mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
            
cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


            Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



            More info on how I figured this out here: https://darxus.livejournal.com/329621.html






            share|improve this answer






























              0














              This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



              In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



              mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
              
cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


              Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



              More info on how I figured this out here: https://darxus.livejournal.com/329621.html






              share|improve this answer




























                0












                0








                0







                This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



                In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



                mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
                
cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


                Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



                More info on how I figured this out here: https://darxus.livejournal.com/329621.html






                share|improve this answer















                This is the first hit on "initializing DST: openssl failure", which was the error I got when my DNS broke as a result of upgrading ubuntu from lucid to precise, so I'd like to mention the solution here.



                In my case, it was due to bind depending on an ssl library that was not in its chroot jail. The solution was:



                mkdir -p /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
                
cp -a /usr/lib/i386-linux-gnu/openssl-1.0.0/engines /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/


                Of course, now I need to keep those files up to date, and I don't know if there's a better solution.



                More info on how I figured this out here: https://darxus.livejournal.com/329621.html







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Feb 5 '15 at 2:05









                muru

                1




                1










                answered Feb 5 '15 at 1:24









                DarxusDarxus

                1




                1






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f257209%2fbind9-openssl-problem%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    How to change which sound is reproduced for terminal bell?

                    Image
                    3 Recently upgrade to 18.10 from 18.04, and using the terminal is becoming annoying: the new alert sound is a drip ( /usr/share/sounds/gnome/default/alerts/drip.ogg ), and the previous one is still located at ( /usr/share/sounds/ubuntu/stereo/bell.ogg ). My issue is that at the gnome-terminal, when autocompleting or pressing left BOTH sounds are reproduced, at the same time. I want to just have ubuntu/stereo/bell.ogg active, not both . At the moment I have been only able to reduce the volume of the alerts (but still both are played), or turn the alerts down (but I dislike both "solutions"). gnome-terminal 18.10 teminal-bell share | improve this question
                    Read more

                    Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

                    Image
                    up vote 5 down vote favorite 2 I would like to make it so that the vertical space below the title of each chapter is the same when using the Bjornstrup package (i.e. so that the descenders do not affect the spacing - as shown by the red arrow in the picture below). I think I'm fairly happy with the spacing around "A chapter", so I'd really like titles without descenders (e.g. "Contents") to have the same vertical spacing as "A chapter" below the title. I would also like to remove the large "0" in the contents title. Any help appreciated, as always. documentclass[11pt,a4paper]{book} % Packages[![enter image description here][1]][1] usepackage[left=3.5cm, right=3.5cm, top=4.3cm, bottom=4.25cm]{geometry} usepackage[utf8]{inputenc} usepackage{libertine} usepackage[libertine]{newtx
                    Read more

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?

                    Image
                    0 I want to add Tabulator js to my java project. I added tabulator.min.js, tabulator.min.css to resources folder. After that added to my html page these dependencies as recommending in readme.md. <link rel="stylesheet" th:href="@{/css/tabulator.min.css}"> <script type="text/javascript" th:src="@{/js/tabulator.min.js}"></script> Now my tables view all elements, that I have in the html page, but not correct. In the documentation of Tabulator is example how to create header and table, var table = new Tabulator("#example-table", { columns:[ {title:"Name", field:"name", sorter:"string", width:200, editor:true}, {title:"Age", field:"age", sorter:"
                    Read more