Ubuntu
dhcp3 package

can't create file: permission denied by apparmor

Bug #358035 reported by OlaJi on 2009-04-08

Affects		Status	Importance	Assigned to	Milestone
	dhcp3 (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Upgraded from Ubuntu 8.10 to 9.04 and lost all network connections. Found out that it was it was a problem with dhcp3-client. See syslog list:

Apr 8 22:55:48 idefix dhclient: Can't create /usr/local/var/run/dhclient-eth1.pid: Permission denied
Apr 8 22:55:48 idefix kernel: [ 190.757114] type=1503 audit(1239224148.534:16): operation="inode_create" requested_mask="a::" denied_mask="a::" fsuid=0 name="/usr/local/var/run/dhclient-eth1.pid" pid=3618 profile="/sbin/dhclient3"
Apr 8 22:55:52 idefix dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 3
Apr 8 22:55:53 idefix dhclient: DHCPOFFER of 192.168.0.4 from 192.168.0.1
Apr 8 22:55:53 idefix dhclient: DHCPREQUEST of 192.168.0.4 on eth1 to 255.255.255.255 port 67
Apr 8 22:55:55 idefix dhclient: DHCPACK of 192.168.0.4 from 192.168.0.1
Apr 8 22:55:55 idefix dhclient: execve (/usr/local/libexec/nm-dhcp-client.action, ...): Permission denied
Apr 8 22:55:55 idefix dhclient: can't create /usr/local/var/lib/dhcp3/dhclient-eth1.lease: No such file or directory
Apr 8 22:55:55 idefix dhclient: bound to 192.168.0.4 -- renewal in 34096 seconds.
Apr 8 22:55:55 idefix dhclient: Can't create /usr/local/var/run/dhclient-eth1.pid: Permission denied
Apr 8 22:55:55 idefix kernel: [ 197.668930] type=1503 audit(1239224155.446:17): operation="inode_permission" requested_mask="x::" denied_mask="x::" fsuid=0 name="/usr/local/libexec/nm-dhcp-client.action" pid=3620 profile="/sbin/dhclient3"
Apr 8 22:55:55 idefix kernel: [ 197.669691] type=1503 audit(1239224155.446:18): operation="inode_create" requested_mask="a::" denied_mask="a::" fsuid=0 name="/usr/local/var/run/dhclient-eth1.pid" pid=3618 profile="/sbin/dhclient3"
Apr 8 22:55:57 idefix NetworkManager: <info> Device 'eth0' DHCP transaction took too long (>45s), stopping it.
Apr 8 22:55:57 idefix NetworkManager: <info> eth0: canceled DHCP transaction, dhcp client pid 3588
Apr 8 22:55:57 idefix NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP Configure Timeout) scheduled...
Apr 8 22:55:57 idefix NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP Configure Timeout) started...
Apr 8 22:55:57 idefix NetworkManager: <info> (eth0): device state change: 7 -> 9
Apr 8 22:55:57 idefix NetworkManager: <info> Marking connection 'Auto eth0' invalid.

When I disabled the apparmor profile /sbin/dhclient3 the network connection with NetworkManager works again. I don't know if this is a bug in dhcp3 or apparmor, but its a bug that breaks the system. It's hard to get back on track without a network connection...

ProblemType: Bug
Architecture: i386
DistroRelease: Ubuntu 9.04
Package: dhcp3-client 3.1.1-5ubuntu8
ProcEnviron:
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: dhcp3
Uname: Linux 2.6.28-11-generic i686

Tags:

Revision history for this message

OlaJi (ola-jirlow) wrote on 2009-04-08:

Dependencies.txt Edit (510 bytes, text/plain; charset="utf-8")

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-04-08:

Thank you for using Ubuntu and taking the time to report a bug. In examining your syslog output, it is clear that you are not running Ubuntu packages, have installed software into non-standard locations (file in /usr/local), or have symlinked files in /var to /usr/local. To workaround this, update /etc/apparmor.d/sbin.dhclient to give access to the necessary files, and restart apparmor with:

$ sudo /etc/init.d/apparmor force-reload

Changed in dhcp3 (Ubuntu):
status:	New → Invalid

Revision history for this message

RichardNeill (ubuntu-richardneill) wrote on 2010-03-30:

I've just been bitten by this one too: trying to run:

dhcpd3 -f -cf /tmp/dhcpd.conf -lf /tmp/dhcpd.leases -pf /tmp/dhcpd.pid wlan2

and all I get is a permission-denied error on the file /tmp/dhcpd.conf
Even stracing it doesn't help.

If apparmour is going to block something, please could it be very NOISY about it, and at the very least print something to stderr. Otherwise, this is exceedingly hard to debug.