[Bug 2011628] Re: Apparmor Disallows Disabling Dhclient Scripts
Brett Holman
2011628 at bugs.launchpad.net
Thu Aug 24 14:47:25 UTC 2023
This was fixed in ubuntu maintic, but not yet SRU'd to focal, jammy, or
lunar since this "fix" just eliminates harmless warnings, which is not
worth backporting to old releases.
Cloud-init users that see warnings due to apparmor such as
execve (/bin/true, ...): Permission denied
due to apparmor blocking execution of /bin/true may be concerned about
problems associated with this error, but rest assured that apparmor
blocking /bin/true accomplishes the same thing as apparmor allowing
/bin/true (no side-effects are allowed by hook scripts), so this warning
is just noise and can be safely ignored.
Cloud-init users on these releases that wish to see no apparmour
warnings might locally include this rule themselves via:
echo " /bin/true Uxr," > /etc/apparmor.d/local/sbin.dhclient
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/2011628
Title:
Apparmor Disallows Disabling Dhclient Scripts
Status in isc-dhcp package in Ubuntu:
Fix Released
Status in isc-dhcp source package in Focal:
New
Status in isc-dhcp source package in Jammy:
New
Status in isc-dhcp source package in Lunar:
New
Status in isc-dhcp package in Debian:
New
Bug description:
In some cases, it may be desirable to disable dhclient scripts. By
default /sbin/dhclient-script is used, and some others are allowed by
the apparmor profile.
Without Apparmor, disabling hook scripts can be accomplished with
flags -sf /bin/true, but with apparmor enabled this gets blocked:
execve (/bin/true, ...): Permission denied
Unfortunately dhclient doesn't appear to provide any other mechanism
for disabling hook scripts.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/2011628/+subscriptions
More information about the foundations-bugs
mailing list