Ubuntu
apparmor package

[systemd] dhclient causes apparmor warnings against /run/systemd/journal/dev-log

Bug #1413232 reported by Bryan Quigley
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
High
Unassigned
AppArmor 2.9.2
apparmor (Ubuntu)
Fix Released
High
Unassigned

Bug Description

When running a system with systemd, the logs get filled with dhclient getting denied access to the below.

Example dmesg output:
[ 28.037120] audit: type=1400 audit(1421846274.704:51): apparmor="DENIED" operation="sendmsg" profile="/sbin/dhclient" name="/run/systemd/journal/dev-log" pid=1678 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[ 45.367871] audit: type=1400 audit(1421846292.048:52): apparmor="DENIED" operation="sendmsg" profile="/sbin/dhclient" name="/run/systemd/journal/dev-log" pid=1678 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: isc-dhcp-client 4.3.1-5ubuntu2
ProcVersionSignature: Ubuntu 3.18.0-9.10-generic 3.18.2
Uname: Linux 3.18.0-9-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.15.1-0ubuntu2
Architecture: amd64
Date: Wed Jan 21 09:26:16 2015
DhclientLeases:

InstallationDate: Installed on 2015-01-08 (12 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Alpha amd64 (20150108)
ProcEnviron:
 LANGUAGE=en_US
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: isc-dhcp
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Bryan Quigley (bryanquigley) wrote :
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Just adding
  /run/systemd/journal/dev-log w,
to /etc/apparmor.d/sbin.dhclient makes it work not.

I noticed after that it wasn't actually logging an dhclient messages before enabling write access there.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

makes it work *now*.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for using Ubuntu and filing a bug. This should actually be fixed in apparmor's base abstraction (which already permits /dev/log). Retargetting to apparmor.

affects: isc-dhcp (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
importance: Undecided → High
status: New → Triaged
tags: added: aa-policy
Changed in apparmor:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Steve Langasek (vorlon) wrote :

Jamie, now that systemd is becoming the default in vivid, I think this is critical to fix, as dmesg is quite spammy at present (and of course the log entries are being lost if the writes are denied). Can this fix be expedited?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was committed upstream some time ago and will be in AppArmor 2.9.2. I'm not sure of the timing of that so I'll cherrypick it for the Ubuntu package for now.

Changed in apparmor:
status: Triaged → Fix Committed
milestone: none → 2.9.2
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu7

---------------
apparmor (2.9.1-0ubuntu7) vivid; urgency=medium

  * systemd-dev-log-lp1413232.patch: Allow writes to the systemd journal
    socket /{,var}/run/systemd/journal/dev-log. This can be dropped with
    with AppArmor 2.9.2. (LP: #1413232)
 -- Jamie Strandboge <email address hidden> Fri, 06 Mar 2015 06:22:34 -0600

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
Steve Beattie (sbeattie)
Changed in apparmor:
status: Fix Committed → Fix Released
Revision history for this message
ttbek (ttbek) wrote :

Potential regression? I think I'm seeing this on Ubuntu 20.04:

May 31 04:35:10 HOSTNAME audit[2997513]: AVC apparmor="DENIED" operation="sendmsg" profile="/{,usr/}sbin/dhclient" name="/log" pid=2997513 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

dpkg --list | grep apparmor
ii apparmor 2.13.3-7ubuntu5 amd64 user-space parser utility for AppArmor
ii libapparmor1:amd64 2.13.3-7ubuntu5 amd64 changehat AppArmor library

Revision history for this message
ChuckG (tubastuff) wrote :

Seeing the same for 20.04:

[ 171.828819] audit: type=1400 audit(1598467536.663:28): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1060/task/1063/comm" pid=1060 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

Revision history for this message
John Johansen (jjohansen) wrote :

@tubastuff that is definitely not the same problem, please see https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.