overlayroot read-only mode apparmor dhclient DENIED

Bug #1541450 reported by zhangyang on 2016-02-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

Dear all:
    I am using the overlayroot and working on read-only mode ,and then I can`t connect network and dhclient .

cat /var/log/kernel.log below

Feb 3 23:17:53 zy-VirtualBox kernel: [ 49.049090] audit: type=1400 audit(1454512673.592:44): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/sbin/dhclient" name="etc/ld.so.cache" pid=1217 comm="dhclient" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Feb 3 23:17:53 zy-VirtualBox kernel: [ 49.049253] audit: type=1400 audit(1454512673.592:45): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/sbin/dhclient" name="lib/x86_64-linux-gnu/libirs-export.so.91.0.0" pid=1217 comm="dhclient" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

when I use "dhclient enp0s3",the error message is "dhclient: error while loading shared libraries: libirs-export.so.91: cannot stat shared object: Permission denied"

need any help
Thanks
zy

zhangyang (advzhangyang) wrote :

Following the above description.
I have known a solution:
~$ sudo ln -s /etc/apparmor.d/sbin.dhclient /etc/apparmor.d/disable/
~$ sudo /etc/init.d/apparmor reload
~$ sudo /etc/init.d/apparmor restart
~$ sudo /etc/init.d/networking restart
~$ sudo dhclient enp0s3

but I think this method is insecurity.I want to know Why did it happen?And How to fix it.

I am using "ubuntu-15.10-desktop-amd64.iso" and "overlayroot".

need any help
Thanks

Seth Arnold (seth-arnold) wrote :

Hello zy,

Be very careful with /etc/init.d/networking restart --- this can cause severe instability issues on Ubuntu systems. Some versions have this script modified to prevent the trouble, but some don't. The ifupdown tools should be used to restart specific interfaces instead. I know that's insanely confusing, but it's just the way it is.

The AppArmor problem is the "Failed name lookup - disconnected path" entry. This means that the process is running in a filesystem namespace (perhaps a chroot?) where the filename doesn't actually exist. The usual way forward is to add flags=(attach_disconnected) to the profile, e.g.:

/sbin/dhclient flags=(attach_disconnected) { ...

If that isn't sufficient for you, this may be related to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1408106 -- but I must admit I don't know the details of why overlayfs doesn't work well with AppArmor.

Thanks

zhangyang (advzhangyang) wrote :

Dear Seth Arnold,

OH,It`s amazing.with the attach_disconnected, It is seem to work .
It`s a good way to solve the trouble.Thank you for your answer.
if I find some valuable thing about the trouble,I will be post here.

Best Regard,
zy

zhangyang (advzhangyang) wrote :

Dear Seth Arnold,

Recently, I use this method " attach_disconnected " in the virtualbox.However, this method does not seem stable, often unable to get online.

Best Regard,
zy

zhangyang (advzhangyang) wrote :

I find the relevant information about this issue.

"Unless specifically directed to connect the path,OR if in a chroot and doing chroot relative paths and the path resolves to the namespace root (would be connected outside of chroot) and specifically directed to connect paths to namespace root."

"we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash' maps to '/mnt/bin/bash'."

Christian Boltz (cboltz) wrote :

> Recently, I use this method " attach_disconnected " in the virtualbox.
> However, this method does not seem stable, often unable to get online.

Using the attach_disconnected flag should at least give you different log events ;-)

Can you please check /var/log/kernel.log and post some "new" log lines?

Tyler Hicks (tyhicks) wrote :

Hello - I'm requesting that you answer the question in comment 6 so that we can fix this bug for you. Thank you!

zhangyang (advzhangyang) wrote :

I think I fix the issue.

[ 22.126997] audit: type=1400 audit(1502779554.863:21): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/NetworkManager/nm-dhcp-helper" name="etc/ld.so.cache"

You can find that the path which is looking for is relative path "name="etc/ld.so.cache"" , so I added attach_disconnected=/ to /etc/apparmor.d/sbin.dhclient.

Sorry, it's been so long to feedback information.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers