shadowbq · February 13, 2019 03:31
diff --git a/apparmor_usr.sbin.named b/apparmor_usr.sbin.named
 # vim:syntax=apparmor
 # Last Modified: Fri Jun  1 16:43:22 2007
 #include <tunables/global>

 /usr/sbin/named {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,

  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,

  # ssl
  /etc/ssl/openssl.cnf r,

  # GeoIP data files for GeoIP ACLs
  /usr/share/GeoIP/** r,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  /proc/net/if_inet6 r,
  /proc/*/net/if_inet6 r,
  /usr/sbin/named mr,
  /{,var/}run/named/named.pid w,
  /{,var/}run/named/session.key w,
  # support for resolvconf
  /{,var/}run/named/named.options r,

  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.named>
 }
diff --git a/bind9.logrotate b/bind9.logrotate
 #
 #       Logrotate fragment for bind9.
 #
 /var/log/named/*.log {
        daily
        compress
        delaycompress
        rotate 5
        missingok
        postrotate
                [ -e /etc/init.d/bind9 ] && /etc/init.d/bind9 reload > /dev/null 2>&1 || true
        endscript
 }
diff --git a/named.conf.logging b/named.conf.logging
 logging {
         channel log_file { file "/var/log/named/named.log"; severity  debug 3; };
         category queries { log_file; };
         category xfer-in { log_file; };
         category xfer-out { log_file; };
         category default { log_file; };
 };
	# vim:syntax=apparmor
	# Last Modified: Fri Jun 1 16:43:22 2007
	#include <tunables/global>

	/usr/sbin/named {
	#include <abstractions/base>
	#include <abstractions/nameservice>

	capability net_bind_service,
	capability setgid,
	capability setuid,
	capability sys_chroot,
	capability sys_resource,

	# /etc/bind should be read-only for bind
	# /var/lib/bind is for dynamically updated zone (and journal) files.
	# /var/cache/bind is for slave/stub data, since we're not the origin of it.
	# See /usr/share/doc/bind9/README.Debian.gz
	/etc/bind/** r,
	/var/lib/bind/** rw,
	/var/lib/bind/ rw,
	/var/cache/bind/** lrw,
	/var/cache/bind/ rw,

	# gssapi
	/etc/krb5.keytab kr,
	/etc/bind/krb5.keytab kr,

	# ssl
	/etc/ssl/openssl.cnf r,

	# GeoIP data files for GeoIP ACLs
	/usr/share/GeoIP/** r,

	# dnscvsutil package
	/var/lib/dnscvsutil/compiled/** rw,

	/proc/net/if_inet6 r,
	/proc/*/net/if_inet6 r,
	/usr/sbin/named mr,
	/{,var/}run/named/named.pid w,
	/{,var/}run/named/session.key w,
	# support for resolvconf
	/{,var/}run/named/named.options r,

	# some people like to put logs in /var/log/named/ instead of having
	# syslog do the heavy lifting.
	/var/log/named/** rw,
	/var/log/named/ rw,

	# Site-specific additions and overrides. See local/README for details.
	#include <local/usr.sbin.named>
	}
	#
	# Logrotate fragment for bind9.
	#
	/var/log/named/*.log {
	daily
	compress
	delaycompress
	rotate 5
	missingok
	postrotate
	[ -e /etc/init.d/bind9 ] && /etc/init.d/bind9 reload > /dev/null 2>&1 \|\| true
	endscript
	}
	logging {
	channel log_file { file "/var/log/named/named.log"; severity debug 3; };
	category queries { log_file; };
	category xfer-in { log_file; };
	category xfer-out { log_file; };
	category default { log_file; };
	};