Hi ya,
I know you posted this a while ago so you may have already figured it out. I ran in to the same problem and it turned out that the answer here is that it's AppArmor that's causing you grief. Try stopping AppArmor then run named in your chroot environment again. I like to run my name server in /var/lib/named, so given my usr.sbin.named file below, I should be able to edit everything from line 18 down to point to the new locations.
For what it's worth, I haven't completely tinkered with my /etc/apparmor.d/usr.sbin.named file (I'm running ubuntu server 8.04.1), but I did change where bind logs to in named.conf. I had to give named access to that log file in usr.sbin.named. I'm sure I could get the chroot environment working again by more editing. I just haven't found the time.
Here's my /etc/apparmor.d/usr.sbin.named file. I've noted where I think the changes should be made.
Code:
# vim:syntax=apparmor
# Last Modified: Sun Sep 14 23:02:34 2008
#include <tunables/global>
/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
### Changing these to the chroot location is part of the solution. ###
/etc/bind/** r,
/var/lib/bind/** rw,
/var/cache/bind/** rw,
###
# added 20080914 --amj to give named access to log file
/var/log/named.log w,
### As are these, but I haven't tinkered with them yet ###
/proc/net/if_inet6 r,
/usr/sbin/named mr,
/var/run/bind/run/named.pid w,
# support for resolvconf
/var/run/bind/named.options r,
###
}
I suspect that none of the edits need to be relative to the chroot environment.
Hope this helps,
Andrew
