Articles

Confine BIND with AppArmor and SELinux (2026)

April 16, 2026 7 min read

BIND doesn’t actually break when you confine it with AppArmor and SELinux; instead, it stops working because the confinement rules are too strict, preventing BIND from accessing critical files or network ports it needs to operate. This is a common hurdle when hardening BIND, as you’re balancing security with necessary functionality.

Here’s how to diagnose and fix common confinement issues with AppArmor and SELinux:

AppArmor

AppArmor confines processes by defining profiles that specify what files, network addresses, and capabilities a process is allowed to use. When BIND (named) is confined, it will often fail to start or respond to queries.

Common Causes and Fixes:

  1. Incorrectly Restricted Data Directory:

    • Diagnosis: Check the BIND configuration for directory (e.g., /var/named). Then, examine the AppArmor profile for named (usually in /etc/apparmor.d/usr.sbin.named) and see if there are owner /var/named/** rwk or similar lines. If BIND fails to start, check syslog (/var/log/syslog or /var/log/messages) for "DENIED" messages related to /var/named.
    • Fix: Ensure the AppArmor profile explicitly allows read, write, and execute access to the BIND data directory. Add or modify lines like:
      /var/named/** rwk,
/var/named/.rw-r--r-- rwk, # For specific files if needed
      Then reload AppArmor profiles: sudo systemctl reload apparmor or sudo service apparmor reload.
    • Why it works: This grants named the necessary permissions to create and manage zone files, PID files, and other operational data within its designated directory.

  2. Restricted Access to Configuration Files:

    • Diagnosis: If BIND starts but doesn’t load zones or fails to reconfigure, check syslog for "DENIED" messages related to /etc/bind/named.conf* or zone files specified in named.conf.
    • Fix: Add read access for BIND to its configuration files:
      /etc/bind/named.conf{,.*} r,
/etc/bind/zones/*.zone r, # If your zone files are in a subdirectory
      Reload AppArmor profiles.
    • Why it works: BIND needs to read its main configuration and all included configuration files, as well as the zone data files, to operate.

  3. Restricted Access to PID File:

    • Diagnosis: BIND might fail to start if it can’t write its process ID (PID) file, often located in /var/run/named/named.pid. Check syslog for "DENIED" messages related to this file.
    • Fix: Grant write access to the PID file location:
      /var/run/named/named.pid w,
/var/run/named/ rwk, # If it needs to create the directory itself
      Reload AppArmor profiles.
    • Why it works: The PID file is essential for BIND to manage its process, allowing other tools to find and interact with the running named daemon.

  4. Restricted Network Access (UDP/TCP 53):

    • Diagnosis: If BIND starts but cannot answer queries or perform zone transfers, syslog might show "DENIED" messages related to network operations on port 53.
    • Fix: Ensure the AppArmor profile allows network operations on UDP and TCP port 53:
      network inet stream,
network inet udp,
# Or more specifically:
# network inet tcp port 53,
# network inet udp port 53,
      Reload AppArmor profiles.
    • Why it works: This explicitly permits BIND to bind to and listen on the standard DNS ports for both TCP and UDP, allowing it to receive and respond to DNS queries.

  5. Restricted Access to Cache Files:

    • Diagnosis: Performance issues or inability to resolve external domains might be due to BIND being denied access to its cache directory (often /var/cache/bind). Check syslog for "DENIED" messages related to cache files.
    • Fix: Allow read/write access to the cache directory:
      /var/cache/bind/** rw,
      Reload AppArmor profiles.
    • Why it works: BIND uses a cache to store DNS records it has recently looked up, improving performance and reducing load on other DNS servers. It needs write access to update this cache.

SELinux

SELinux (Security-Enhanced Linux) uses a mandatory access control (MAC) system based on labels. Processes have security contexts, and files/ports also have contexts. SELinux policies define what contexts can interact with what other contexts. BIND’s failure under SELinux confinement usually means its security context doesn’t have the necessary permissions to access required resources.

Common Causes and Fixes:

  1. Incorrect File Contexts for BIND Data/Config:

    • Diagnosis: BIND fails to start or load zones. Check syslog for "AVC denied" messages related to BIND’s operations on files like /var/named/, /etc/bind/named.conf, or zone files. Use ls -Z to check the current context of these files and ps -Z to see BIND’s context. The default context for BIND files is typically named_zone_t or named_conf_t.
    • Fix: Relabel the files and directories with the correct SELinux context. For example, if /var/named/myzone.zone has the wrong context:
      sudo semanage fcontext -a -t named_zone_t "/var/named/myzone.zone"
sudo restorecon -Rv /var/named/
      Do this for /var/named/, /etc/bind/, and any other critical BIND directories or files.
    • Why it works: SELinux enforces policy based on labels. Correctly labeling BIND’s configuration, data, and zone files with named_conf_t and named_zone_t contexts allows the named_t process context to access them as defined by the SELinux policy.

  2. Restricted Network Port Access:

    • Diagnosis: BIND starts but cannot serve DNS requests. Check syslog for "AVC denied" messages related to port 53 (UDP/TCP). Use semanage port -l | grep 53 to see if port 53 is allowed for named.
    • Fix: Ensure port 53 is defined as a DNS port for BIND:
      sudo semanage port -a -t dns_port_t -p tcp 53
sudo semanage port -a -t dns_port_t -p udp 53
      If dns_port_t is not recognized, it might be named differently or require a specific SELinux policy module. Often, the named_t type already has permissions for dns_port_t.
    • Why it works: SELinux policies restrict which processes can bind to which network ports. This command tells SELinux that port 53 (TCP and UDP) is a valid port for DNS services, allowing the named_t process to listen on it.

  3. Restricted Access to PID File Directory:

    • Diagnosis: BIND fails to start, with "AVC denied" messages related to /var/run/named/named.pid.
    • Fix: Ensure the directory for the PID file has the correct SELinux context. Typically, it should be named_runtime_t.
      sudo semanage fcontext -a -t named_runtime_t "/var/run/named(/.*)?"
sudo restorecon -Rv /var/run/named/
    • Why it works: This grants the named_t process the ability to create and manage its PID file within the /var/run/named directory, which is a standard location for runtime data.

  4. Restricted Access to Cache Directory:

    • Diagnosis: BIND might fail to start or log errors about not being able to write to its cache directory (e.g., /var/cache/bind). Check syslog for "AVC denied" messages related to cache file operations.
    • Fix: Label the cache directory with the named_cache_t context:
      sudo semanage fcontext -a -t named_cache_t "/var/cache/bind(/.*)?"
sudo restorecon -Rv /var/cache/bind/
    • Why it works: This allows the named_t process to write to and read from the cache directory, enabling BIND to store and retrieve DNS records for improved performance.

  5. Missing Required SELinux Booleans:

    • Diagnosis: Sometimes, BIND might need to perform actions that are allowed by default AppArmor but restricted by SELinux unless a specific boolean is enabled. For example, if BIND needs to act as a DNSSEC validator or perform other advanced operations, certain booleans might be required. Check syslog for "AVC denied" messages that don’t immediately map to file or port issues. Use getsebool -a | grep named to see available booleans.
    • Fix: Enable necessary booleans. A common one for BIND is named_write_master_zones if it needs to update zone files on a secondary server, or dnssec_enable.
      sudo setsebool -P named_write_master_zones on
      The -P makes the change persistent across reboots.
    • Why it works: SELinux booleans are switches that allow for more granular control over policy. Enabling a boolean like named_write_master_zones relaxes a specific restriction within the SELinux policy, allowing named_t to write to zones if it’s configured to do so.

The next error you’ll encounter after fixing these confinement issues is usually related to DNSSEC validation failures if your BIND is configured to perform it, as this involves more complex cryptographic operations and trust anchors that also need correct SELinux/AppArmor permissions.

Want structured learning?

Take the full Bind course →