AppArmor won't let DHCP server write to file

Suffering from this as well, disabling apparmor didnt help either... just started this morning...

I had to remove it from starting. But my system is running just fine. If someone would post a change to AppAmor setting for the dhcp server then you could restart it.

to stop it just:
sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove

when the upgrade gets made you can restart it.

Hi,

Sorry for the troubles. It looks like the dhcp profile needs to be extended to take into account LPF. Unfortunately, the rejection line in the description has been truncated '[..] family="pa$'; until we can see the complete rejection entry, it'll be hard to suggest how to modify the profile.

How would you change the log file to get the whole error? That is all the file contains.

I can't tell you how to fix the logging, as I am not even sure where the failure is yet. It possible the kernel is cutting the message off, or possibly the logging daemon.

However the message is enough for me to recognize the failure as a rule missing for the socket af packet. I don't have full information on what is missing but my guess is you need the following rule added to the /etc/apparmor.d/usr.bin.dhcpd profile

  network packet raw,

you will need to reload the profile and restart the service or reboot before the rule will take effect

if that doesn't work you can make the rule more generic and go with

  network packet,

Are you suggesting that I change

    network packet packet, to network packet raw,

Or just add network packet raw,

What I have now is:

  network inet raw,
  network packet packet,

Add
  network packet raw,

or if you want a more generic broader rule you could change
  network packet packet,

to
  network packet,

which would cover all sockets in the packet address family

[Expired for apparmor (Ubuntu) because there has been no activity for 60 days.]

The problem also currently exists on Ubuntu 12.10.
Adding "network packet raw" to /etc/apparmor.d/usr.sbin.dhcpd does resolve it.

The latest package update on 12.10 seems to fix it.

The problem also currently exists on Ubuntu 10.04 LTS

I am running 12.04 LTS. I did all the updates today and isc-dhcp-server would not work. I added all the suggested fixes in apparmor with no luck. I had to disable apparmor and reboot the server for dhcp to work.

I have:
network inet raw,
network packet packet,
network packet raw,
network packet,
network,

I commented some out to test, such that I only had network inet raw, and network packet, without # in front. I have isc-dhcp-server 4.1.ESV-R4-0ubuntu5.8 installed. Any thoughts?

Update:

If I have this only:
network inet raw,
network packet packet,
network packet raw,

and REBOOT the server, not reload apparmor, it works. If I attempt to reload or start isc-dhcp-server or apparmor, it fails with the permission error. Rebooting the server shows the proper items in syslog. Weird.

I've just hit this

[518820.279862] type=1400 audit(1392708646.017:161): apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/dhcpd" pid=26521 comm="dhcpd" family="packet" sock_type="dgram" protocol=8

It started when I added a config stanza for a subnet that is on ib1 and restarted dhcpd - but that may just be a race condition with startup or something, since

Marking as Fix Released based on comment #11. If other people are still seeing this, please file a new bug. Thanks

No, not fixed. Comment #15 is an example of the problem still. It's 5 years later. Infiniband IPoIB causes this same problem even with the "fix". 'rmmod ib_ipoib' allows dhcp to start. Having the module loaded and the interface configured prevents dhcpd from starting due to apparmor.