[opensuse] Strange dns fails to start
Hello all, I installed zimbra on my Opensuse10.2. All was ok. Until I rebooted it, bind failed to start with this error: # rcnamed restart ..dead Shutting down name server BIND - Warning: named not running! done Starting name server BIND /usr/sbin/named: error while loading shared libraries: libldap-2.3.so.0: failed to map segment from shared object: Operation not permitted startproc: exit status of parent of /usr/sbin/named: 127 failed I've searched zimbra's forum and there's some guys with the same problem. The proposed solution is to uninstall bind and compile again from source. Have anyone encountered this? Thank you very much, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 5:25am up 0:07, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
Fajar Priyanto wrote:
Hello all, I installed zimbra on my Opensuse10.2. All was ok. Until I rebooted it, bind failed to start with this error: # rcnamed restart ..dead Shutting down name server BIND - Warning: named not running! done Starting name server BIND /usr/sbin/named: error while loading shared libraries: libldap-2.3.so.0: failed to map segment from shared object: Operation not permitted startproc: exit status of parent of /usr/sbin/named: 127 failed
I've searched zimbra's forum and there's some guys with the same problem. The proposed solution is to uninstall bind and compile again from source.
That would be a messy hack, though I did install bind from a tarball once, when I had this same problem, or one very similar. What I found was a commercial antivirus program shipped with suse was doing something evil with capabilities, which prevented named from starting. I nuked that prog and all has been well ever since. IIRC it was H+BEDV AntiVir. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 July 2007 07:49, joe wrote:
I've searched zimbra's forum and there's some guys with the same problem. The proposed solution is to uninstall bind and compile again from source.
That would be a messy hack, though I did install bind from a tarball once, when I had this same problem, or one very similar. What I found was a commercial antivirus program shipped with suse was doing something evil with capabilities, which prevented named from starting. I nuked that prog and all has been well ever since. IIRC it was H+BEDV AntiVir.
Yes, I prefer not to install from source too. About the antivirus, all I have is clamav. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 8:18am up 0:08, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2007-07-02 at 17:49 -0700, joe wrote:
That would be a messy hack, though I did install bind from a tarball once, when I had this same problem, or one very similar. What I found was a commercial antivirus program shipped with suse was doing something evil with capabilities, which prevented named from starting. I nuked that prog and all has been well ever since. IIRC it was H+BEDV AntiVir.
That would be because you installed the kernel module. The program itself is safe. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGiav9tTMYHG2NR9URAiZyAJ9VlA27ljf2oOJX+end/1mTnTNb6gCePrKJ NKXWOxgKMHG+izQavfKsfKE= =DsHh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Monday 2007-07-02 at 17:49 -0700, joe wrote:
That would be a messy hack, though I did install bind from a tarball once, when I had this same problem, or one very similar. What I found was a commercial antivirus program shipped with suse was doing something evil with capabilities, which prevented named from starting. I nuked that prog and all has been well ever since. IIRC it was H+BEDV AntiVir.
That would be because you installed the kernel module. The program itself is safe.
Nope. I didn't "install" anything. Stock standard suse setup, all I did was allow antivir to start at boot. If a kernel module was loaded, it was automatic and default behavior. Since clamav works well for use, I never bothered to find out what it would take to make antivir safe. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2007-07-02 at 20:08 -0700, joe wrote:
That would be because you installed the kernel module. The program itself is safe.
Nope. I didn't "install" anything. Stock standard suse setup, all I did was allow antivir to start at boot. If a kernel module was loaded, it was automatic and default behavior.
Since clamav works well for use, I never bothered to find out what it would take to make antivir safe.
I shouldn't have say "install", the module (dazuko?) comes with the distro. The program is not permanently loaded, and the module is optional. Any way, I have been using both that antivir and bind with no problem for years. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGihVDtTMYHG2NR9URAgTrAJsHcgK1qTf5D46O+eNmrXFifiEqbQCfasCi B/wHFGfI7nVMiqNAEOdIQmo= =It2/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Monday 2007-07-02 at 20:08 -0700, joe wrote:
That would be because you installed the kernel module. The program itself is safe. Nope. I didn't "install" anything. Stock standard suse setup, all I did was allow antivir to start at boot. If a kernel module was loaded, it was automatic and default behavior.
Since clamav works well for use, I never bothered to find out what it would take to make antivir safe.
I shouldn't have say "install", the module (dazuko?) comes with the distro. The program is not permanently loaded, and the module is optional. Any way, I have been using both that antivir and bind with no problem for years.
It could be a corner case - perhaps your particular hardware and/or system config is different from the one where I saw the problem. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 July 2007 05:25, Fajar Priyanto wrote:
Hello all, I installed zimbra on my Opensuse10.2. All was ok. Until I rebooted it, bind failed to start with this error: # rcnamed restart ..dead Shutting down name server BIND - Warning: named not running! done Starting name server BIND /usr/sbin/named: error while loading shared libraries: libldap-2.3.so.0: failed to map segment from shared object: Operation not permitted startproc: exit status of parent of /usr/sbin/named: 127 failed
I've searched zimbra's forum and there's some guys with the same problem. The proposed solution is to uninstall bind and compile again from source.
Have anyone encountered this? Thank you very much,
After further testing, I found this in /var/log/audit/audit.log: type=APPARMOR msg=audit(1183427817.684:13): REJECTING m access to /opt/zimbra/lib/libldap-2.3.so.0.2.22 (named(7063) profile /usr/sbin/named active /usr/sbin/named) What is it? Can I tell apparmor to allow it? Or should I turn off apparmor? How? -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 8:58am up 0:49, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
On Tuesday 03 July 2007 08:58, Fajar Priyanto wrote:
On Tuesday 03 July 2007 05:25, Fajar Priyanto wrote:
Hello all, I installed zimbra on my Opensuse10.2. All was ok. Until I rebooted it, bind failed to start with this error: # rcnamed restart ..dead Shutting down name server BIND - Warning: named not running! done Starting name server BIND /usr/sbin/named: error while loading shared libraries: libldap-2.3.so.0: failed to map segment from shared object: Operation not permitted startproc: exit status of parent of /usr/sbin/named: 127
failed
I've searched zimbra's forum and there's some guys with the same problem. The proposed solution is to uninstall bind and compile again from source.
Have anyone encountered this? Thank you very much,
After further testing, I found this in /var/log/audit/audit.log: type=APPARMOR msg=audit(1183427817.684:13): REJECTING m access to /opt/zimbra/lib/libldap-2.3.so.0.2.22 (named(7063) profile /usr/sbin/named active /usr/sbin/named)
What is it? Can I tell apparmor to allow it? Or should I turn off apparmor? How?
Ah, finally! Apparmor is really interesting. I think it's similar to SELinux? But, with a much easier to manage. Ok, looks like by looking the audit.log, it says about bind is not allowed to "map" to zimbra's library. The solution is to allow it. To do it in apparmor, Yast > Apparmor> Edit profile > named > Add Entry > File
/opt/zimbra/lib/* > Save. Done!
Suse is cool! :) -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 9:08am up 0:59, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-07-03 at 09:09 +0700, Fajar Priyanto wrote: ...
After further testing, I found this in /var/log/audit/audit.log: type=APPARMOR msg=audit(1183427817.684:13): REJECTING m access to /opt/zimbra/lib/libldap-2.3.so.0.2.22 (named(7063) profile /usr/sbin/named active /usr/sbin/named)
...
Ok, looks like by looking the audit.log, it says about bind is not allowed to "map" to zimbra's library. The solution is to allow it.
But, what is zimbra? That is not part of the suse install, and that's why apparmor doesn't allow it. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGihR1tTMYHG2NR9URAqAvAJ9Mf8BiRnkhz/9y/R3l+up68XmHRACglMgp Eu5P5BtmFypUFLjRG21G9sI= =41jt -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 July 2007 16:18, Carlos E. R. wrote:
Ok, looks like by looking the audit.log, it says about bind is not allowed to "map" to zimbra's library. The solution is to allow it.
But, what is zimbra? That is not part of the suse install, and that's why apparmor doesn't allow it.
Zimbra is last's year winner of sourceforge.net's Community Choice Award for Best Enterprise Solution. Very impressive. www.zimbra.com -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 4:35pm up 0:28, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-07-03 at 16:35 +0700, Fajar Priyanto wrote:
On Tuesday 03 July 2007 16:18, Carlos E. R. wrote:
Ok, looks like by looking the audit.log, it says about bind is not allowed to "map" to zimbra's library. The solution is to allow it.
But, what is zimbra? That is not part of the suse install, and that's why apparmor doesn't allow it.
Zimbra is last's year winner of sourceforge.net's Community Choice Award for Best Enterprise Solution. Very impressive. www.zimbra.com
Ah? But then... I don't understand why binds want to use something from there instead of the system /usr/lib/libldap-2.3.so.0 :-? IMO, Apparmor is correct impedding that access as a security risk. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGijsWtTMYHG2NR9URApSfAJkBh3SjkEz+GpmLGME3dSP0vj20MACglyUj YVUUImnpPxvlfeNDAJKmIuo= =EZZD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Fajar Priyanto wrote:
On Tuesday 03 July 2007 05:25, Fajar Priyanto wrote:
Hello all, I installed zimbra on my Opensuse10.2. All was ok. Until I rebooted it, bind failed to start with this error: # rcnamed restart ..dead Shutting down name server BIND - Warning: named not running! done Starting name server BIND /usr/sbin/named: error while loading shared libraries: libldap-2.3.so.0: failed to map segment from shared object: Operation not permitted startproc: exit status of parent of /usr/sbin/named: 127 failed
I've searched zimbra's forum and there's some guys with the same problem. The proposed solution is to uninstall bind and compile again from source.
Have anyone encountered this? Thank you very much,
After further testing, I found this in /var/log/audit/audit.log: type=APPARMOR msg=audit(1183427817.684:13): REJECTING m access to /opt/zimbra/lib/libldap-2.3.so.0.2.22 (named(7063) profile /usr/sbin/named active /usr/sbin/named)
What is it? Can I tell apparmor to allow it? Or should I turn off apparmor?
OK, so it's apparmor - one look at the logs tells the story there. apparmor seems fairly easy to work with, using the appropriate wizard in yast, but I confess I've turned it off out of laziness on more than one occasion. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Carlos E. R.
-
Fajar Priyanto
-
joe
-
John Andersen