[xenial] dhcp server does not work with apparmor enabled

Bug #1540672 reported by Doug Smythies
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

I only seem to be able to make my dhcp server work properly by disabling apparmor.
With apparmor enabled it seems to complain that it is unable to open the leases file for append.
With apparmor either disabled completely (via linux command line in grub), or set to complain mode for /usr/sbin/dhcpd, the dhcp server appears to work fine (so far).

Observed with 2.10-0ubuntu11, and 2.10-0ubuntu12 (from the update of today). I do not know about any previous version, as this is my first attempt with xenial at setting up a dhcp server.

My system is being built fresh from the daily Ubuntu server AMD64 ISO of 2016.01.30. The hard disk is new, as the old one (12.04 server) failed.

I do not know if it is relevant, but I do notice an edit date of 2016.01.25 in /etc/apparmor.d/usr.sbin.dhcpd

The main problem log line:

kernel: [ 22.629981] audit: type=1400 audit(1454368046.405:10): apparmor="DENIED" operation="capable" profile="/usr/sbin/dhcpd" pid=1198 comm="dhcpd" capability=1 capname="dac_override"

Revision history for this message
Doug Smythies (dsmythies) wrote :
Revision history for this message
Doug Smythies (dsmythies) wrote :

I gather I was supposed to file this under isc-dhcp instead of apparmour.

Revision history for this message
Doug Smythies (dsmythies) wrote :

I used aa-logprof and it came up with the the attached file. Now I can run apparmour in enforce mode. i.e.
"sudo aa-enforce /usr/sbin/dhcpd"

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This seems like a duplicate of bug #1540672, but there isn't enough information in this bug. Are you still seeing this with up to date xenial? Can you undo the changes to the profile and perform 'ubuntu-bug 1540672' so that more information can be attached to this bug? Also, please attach your profile after undoing the changes.

no longer affects: apparmor (Ubuntu)
tags: added: apparmor
Changed in isc-dhcp (Ubuntu):
status: New → Incomplete
Revision history for this message
Doug Smythies (dsmythies) wrote :

Yes, I am seeing this issue with an up to date Xenial (well, updated yesterday).
I can not undo the changes to the profile. Why not? Because I didn't know that aa-logprof didn't make a backup file before messing with the file, and I had not saved one myself. However, I'll see if I can find it elsewhere.
I suspect you meant to say "duplicate of bug 1543794" which myself it think it is the other way around.

Revision history for this message
Doug Smythies (dsmythies) wrote :

Oh, I see there was an update to this stuff a few minutes ago. It seems to fix the issue. I couldn't find the original profile file in any source package nor could I find any bizzare branch on launchpad, so I installed it on another server and copied the file back to the problem server, /etc/apparmor.d/usr.sbin.dhcpd.

Changed in isc-dhcp (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Doug Smythies (dsmythies) wrote :

This issue has returned. I'll supply the extra requested information as soon as I can.

Changed in isc-dhcp (Ubuntu):
status: Fix Released → Incomplete
Revision history for this message
Doug Smythies (dsmythies) wrote :

I can not seem to run the requested command. I just get this:

ubuntu-bug 1540672
No pending crash reports. Try --help for more information.

Note: while experienced at bug reports and such, I have never ever successfully run any of the collect stuff.

Changed in isc-dhcp (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Doug Smythies (dsmythies) wrote :

I am suggesting that the issue was fixed by this:

2016-02-17 17:24:06 upgrade isc-dhcp-server:amd64 4.3.3-5ubuntu4 4.3.3-5ubuntu5

And then broken again by this:

2016-02-26 08:22:59 upgrade isc-dhcp-server:amd64 4.3.3-5ubuntu5 4.3.3-5ubuntu7

Revision history for this message
Doug Smythies (dsmythies) wrote :

Note 1: isc-dhcp-server 4.3.3-5ubuntu8 does not fix this issue.

Note 2: There seems to be other apparmor issues, one of which was fixed by isc-dhcp-client 4.3.3-5ubuntu8. The other remaining one is with named:

Feb 27 07:53:07 DOUG-64 kernel: [ 21.320614] audit: type=1400 audit(1456588387.143:11): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/proc/sys/net/ipv4/ip_local_port_range" pid=1345 comm="named" requested_mask="r" denied_mask="r" fsuid=109 ouid=0

but if I set that one to "complain" my system crashes during re-boot.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Doug, regarding note 2, that is a separate bug-- this is a denial for 'named', the daemon from the bind9 package.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Doug, as for note 1, is bug #1543794 a duplicate? It has more information regarding the problem.

Changed in isc-dhcp (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Doug Smythies (dsmythies) wrote :

Yes, I think bug #1543794 is a duplicate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.