[Bug 1918410] Re: isc-dhcp-client denied by apparmor

Daniel Richard G. 1918410 at bugs.launchpad.net
Mon Mar 28 05:57:50 UTC 2022 

Note to everyone watching this bug:

The file that John modified above is in the "extra profiles" section of
the upstream AppArmor source repository. It may be found on an Ubuntu
system at

    /usr/share/apparmor/extra-profiles/sbin.dhclient

and in jammy, it has his fix.

However, the isc-dhcp-client package provides its own separate profile,
which is installed at

    /etc/apparmor.d/sbin.dhclient

and is quite different.

Most people are likely going to be using this latter one, as it is
enabled by default. So they will not receive the benefit of John's fix.
I've confirmed that the original "DENIED" messages still occur on jammy.

** Tags added: jammy

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1918410

Title:
  isc-dhcp-client denied by apparmor

Status in isc-dhcp package in Ubuntu:
  Triaged

Bug description:
  Hi, I get weird errors in the audit log, seeing dhclient is being
  denied reading its comm or the comm of one of its tasks:

  
  [1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

  This might or might not be linked with the fact that I can't get an
  IPv4 on this interface. Note that it happened to other, see this
  comment:

  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8

  Or even an article recommending disabling apparmor for dhclient(!):
  https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/

  
  As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:

  [pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
  ) = -1 EACCES (Permission non accordée)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410/+subscriptions

More information about the foundations-bugs mailing list