[Bug 1067473] Re: [quantal] dhclient sometimes runs unconfined

Tue Oct 16 19:03:15 UTC 2012

** Changed in: isc-dhcp (Ubuntu R-series)
   Importance: Undecided => High

** Description changed:

  I was doing install audits of 12.10 and noticed this with 'sudo aa-status':
  1 processes are unconfined but have a profile defined.
-    /sbin/dhclient (<pid removed>)
+    /sbin/dhclient (<pid removed>)

  This is a regression over 12.04 and needs to be fixed in an SRU. I don't know what introduced the regression, but it is very likely a race condition. I saw it on 12.10 server but not on 12.10 desktop. It seems to be at least somewhat reproducible (rebooting once showed it is still affected) with an amd64 VM with 1024M of ram with installation defaults (except home directory is encrypted) and the following tasks installed:
  Basic Ubuntu server
  OpenSSH server
- DNS server 
+ DNS server
  LAMP server
  Mail server
  PostgreSQL database
  Print server
  Samba file server
  Tomcat Java server
  Virtual Machine host
+ 
+ Upon investigation this is because /etc/init/network-interface-security.conf is looking for files in /etc/apparmor/init/network-interface-security/*. Unfortunately, the quantal merge dropped this:
+ diff -Naur ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links
+ --- ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links	2012-10-16 13:48:13.000000000 -0500
+ +++ ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links	1969-12-31 18:00:00.000000000 -0600
+ @@ -1,3 +0,0 @@
+ -sbin/dhclient sbin/dhclient3
+ -usr/share/man/man8/dhclient.8.gz usr/share/man/man8/dhclient3.8.gz
+ -etc/apparmor.d/sbin.dhclient etc/apparmor/init/network-interface-security/sbin.dhclient

** Changed in: isc-dhcp (Ubuntu R-series)
     Assignee: (unassigned) => Stéphane Graber (stgraber)

** Changed in: isc-dhcp (Ubuntu Quantal)
     Assignee: (unassigned) => Stéphane Graber (stgraber)

** Changed in: isc-dhcp (Ubuntu Quantal)
       Status: New => Triaged

** Changed in: isc-dhcp (Ubuntu R-series)
       Status: New => Triaged

** Summary changed:

- [quantal] dhclient sometimes runs unconfined
+ [quantal] isc-dhcp-client dropped network-interface-security symlink and therefore may run unconfined

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1067473

Title:
  [quantal] isc-dhcp-client dropped network-interface-security symlink
  and therefore may run unconfined

Status in “isc-dhcp” package in Ubuntu:
  Triaged
Status in “isc-dhcp” source package in Quantal:
  Triaged
Status in “isc-dhcp” source package in r-series:
  Triaged

Bug description:
  I was doing install audits of 12.10 and noticed this with 'sudo aa-status':
  1 processes are unconfined but have a profile defined.
     /sbin/dhclient (<pid removed>)

  This is a regression over 12.04 and needs to be fixed in an SRU. I don't know what introduced the regression, but it is very likely a race condition. I saw it on 12.10 server but not on 12.10 desktop. It seems to be at least somewhat reproducible (rebooting once showed it is still affected) with an amd64 VM with 1024M of ram with installation defaults (except home directory is encrypted) and the following tasks installed:
  Basic Ubuntu server
  OpenSSH server
  DNS server
  LAMP server
  Mail server
  PostgreSQL database
  Print server
  Samba file server
  Tomcat Java server
  Virtual Machine host

  Upon investigation this is because /etc/init/network-interface-security.conf is looking for files in /etc/apparmor/init/network-interface-security/*. Unfortunately, the quantal merge dropped this:
  diff -Naur ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links
  --- ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links	2012-10-16 13:48:13.000000000 -0500
  +++ ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links	1969-12-31 18:00:00.000000000 -0600
  @@ -1,3 +0,0 @@
  -sbin/dhclient sbin/dhclient3
  -usr/share/man/man8/dhclient.8.gz usr/share/man/man8/dhclient3.8.gz
  -etc/apparmor.d/sbin.dhclient etc/apparmor/init/network-interface-security/sbin.dhclient

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1067473/+subscriptions