[Touch-packages] [Bug 1918410] Re: isc-dhcp-client denied by apparmor

Sun, 27 Mar 2022 23:23:40 -0700 

Note to everyone watching this bug:

The file that John modified above is in the "extra profiles" section of
the upstream AppArmor source repository. It may be found on an Ubuntu
system at

    /usr/share/apparmor/extra-profiles/sbin.dhclient

and in jammy, it has his fix.

However, the isc-dhcp-client package provides its own separate profile,
which is installed at

    /etc/apparmor.d/sbin.dhclient

and is quite different.

Most people are likely going to be using this latter one, as it is
enabled by default. So they will not receive the benefit of John's fix.
I've confirmed that the original "DENIED" messages still occur on jammy.

** Tags added: jammy

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1918410

Title:
  isc-dhcp-client denied by apparmor

Status in isc-dhcp package in Ubuntu:
  Triaged

Bug description:
  Hi, I get weird errors in the audit log, seeing dhclient is being
  denied reading its comm or the comm of one of its tasks:

  
  [1383307.827378] audit: type=1400 audit(1615367094.054:162): 
apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" 
name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" 
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

  This might or might not be linked with the fact that I can't get an
  IPv4 on this interface. Note that it happened to other, see this
  comment:

  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8

  Or even an article recommending disabling apparmor for dhclient(!):
  
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/

  
  As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, 
because running it manually *does* succeed in getting an IP. And running it in 
strace shows the EACCES failure:

  [pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: 
Process 1095211 attached
  ) = -1 EACCES (Permission non accordée)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to