[Feature] - Support for AppArmour & Logging enabled for default path

[codezninja]

Problem

When running this role on Debian 11.6 with logging enabled bind9_named_logging: True the role fails to reload the service since AppArmor only allows logging by default for bind9 to be in path /var/log/named. The default this role uses conflicts with AppArmor setting.

Workaround

Currently since this is a variable users can just set the logging path to /var/log/named.

Long term solution

But to be able to truly support any logging path the user wants it be nice to have a task that updates the AppArmour config file before reloading the service. See solution here.

If this is an acceptable solution I don't mind giving the PR a shot. Basically it'd be an sed in place agains't that AppArmour file.

[doobry-systemli]

Dear @codezninja, thanks for your report. A PR would be appreciated - even though sed against the AppArmor file sounds a bit rude to be honest 😆. Isn't there something like include files that extend the AppArmor config? Unfortunately I don't have much experience with AppArmor.

[codezninja]

I actually have little experience with both Ansible and AppArmour but I shall see if there's a cleaner way to extend the profile that gets installed with bind9 via packages. I just want to open an issue first and discuss before I start the work on debugging and coming up with a solution.

[0xMattijs]

Maybe it is an idea to set default file locations according to the AppArmour profiles bundled with the respective distro?

[codezninja]

So reading through the docs looks like you can add an extra profile under the path /etc/apparmor.d/local/usr.sbin.named.

So my plan is to have a new task that

1. check to see if apparmour is enabled
2. if enabled create/append to the custom local file with the required lines of code.