isc-dhcp-server can't load leases file with apparmor enabled

Bug #1823985 reported by Lars
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Expired
Low
Unassigned

Bug Description

I can't start isc-dhcp-server with apparmor enabled.

I set a custom leases file in the dhcpd.conf:
 lease-file-name "/test/var/lib/dhcp/dhcpd.leases";

and created a custom apparmor profile for that in /etc/apparmor.d/local/usr.sbin.dhcpd:
/test/var/lib/dhcp/dhcpd{,6}.leases* lrw,

But when I try to start I see the following errors from dhcpd:

Internet Systems Consortium DHCP Server 4.3.5
Copyright 2004-2016 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /etc/dhcp/dhcpd.conf
Database file: /test/var/lib/dhcp/dhcpd.leases
PID file: /run/dhcp-server/dhcpd.pid
Can't open /test/var/lib/dhcp/dhcpd.leases for append.

If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug. These pages explain the proper
process and the information we find helpful for debugging..

exiting.

And in the messages log I can see errors like this:

Apr 9 17:07:03.601 myhost dhcpd[27361]: Can't open /test/var/lib/dhcp/dhcpd.leases for append.
Apr 9 17:07:03.601 myhost dhcpd[27361]:
Apr 9 17:07:03.601 myhost dhcpd[27361]: If you think you have received this message due to a bug rather
Apr 9 17:07:03.601 myhost dhcpd[27361]: than a configuration issue please read the section on submitting
Apr 9 17:07:03.601 myhost dhcpd[27361]: bugs on either our web page at www.isc.org or in the README file
Apr 9 17:07:03.601 myhost dhcpd[27361]: before submitting a bug. These pages explain the proper
Apr 9 17:07:03.601 myhost dhcpd[27361]: process and the information we find helpful for debugging..
Apr 9 17:07:03.601 myhost dhcpd[27361]:
Apr 9 17:07:03.601 myhost dhcpd[27361]: exiting.
Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(1554822423.596:221): apparmor="DENIED" operation="capable" profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1 capname="dac_override"
Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(1554822423.596:221): apparmor="DENIED" operation="capable" profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1 capname="dac_override"

After disabling apparmor for dhcpd everything works as expected:

ln -s /etc/apparmor.d/usr.sbin.dhcpd /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.dhcpd

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1823985] [NEW] isc-dhcp-server can't load leases file with apparmor enabled

On Tue, Apr 09, 2019 at 03:15:26PM -0000, Lars wrote:
> I set a custom leases file in the dhcpd.conf:
> lease-file-name "/test/var/lib/dhcp/dhcpd.leases";
>
> and created a custom apparmor profile for that in /etc/apparmor.d/local/usr.sbin.dhcpd:
> /test/var/lib/dhcp/dhcpd{,6}.leases* lrw,
>
> But when I try to start I see the following errors from dhcpd:

> Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(1554822423.596:221): apparmor="DENIED" operation="capable" profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1 capname="dac_override"
> Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(1554822423.596:221): apparmor="DENIED" operation="capable" profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1 capname="dac_override"

Hello Lars, this is indicating that the dhcpd service is trying to use
root's capability to bypass permissions to use this file. I suggest
checking the owner, group, and permissions of all directories and the
lease file. (namei -l /test/var/lib/dhcp/dhcpd.leases can be handy
for this.)

If all those owners and permissions are as you intended and you want the
dhcpd service to use root powers to access the file, then you'll also need
to modify the profile to allow the dhcpd daemon to use the dac_override:

  capability dac_override,

Thanks

Revision history for this message
Lars (l4rs) wrote :

Hi Arnold

Thank you for your reply.

Unfortunately it does still not work after checking the permissions:

[root@myhost:~]↥ 1 # namei -l /test/var/lib/dhcp/dhcpd.leases
f: /test/var/lib/dhcp/dhcpd.leases
drwxr-xr-x root root /
drwxr-xr-x dhcpd dhcpd test
drwxr-xr-x dhcpd dhcpd var
drwxr-xr-x dhcpd dhcpd lib
drwxr-xr-x dhcpd dhcpd dhcp
-rw-r--r-- dhcpd dhcpd dhcpd.leases

The error is still the same:

...
Can't open /test/var/lib/dhcp/dhcpd.leases for append.
...

And I'm sure the apparmor profile is loaded, because if i deactivate it I get the permission denied error:
...
Can't open lease database /test/var/lib/dhcp/dhcpd.leases: Permission denied --
  check for failed database rewrite attempt!
...

Do you have any other ideas?

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1823985] Re: isc-dhcp-server can't load leases file with apparmor enabled

On Wed, Apr 10, 2019 at 08:34:47AM -0000, Lars wrote:
> [root@myhost:~]↥ 1 # namei -l /test/var/lib/dhcp/dhcpd.leases
> f: /test/var/lib/dhcp/dhcpd.leases
> drwxr-xr-x root root /
> drwxr-xr-x dhcpd dhcpd test
> drwxr-xr-x dhcpd dhcpd var
> drwxr-xr-x dhcpd dhcpd lib
> drwxr-xr-x dhcpd dhcpd dhcp
> -rw-r--r-- dhcpd dhcpd dhcpd.leases

Note that these permissions don't allow root to write to this file UNLESS
root uses the CAP_DAC_OVERRIDE permission is used.

Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in isc-dhcp (Ubuntu):
status: New → Confirmed
Revision history for this message
Lukas Märdian (slyon) wrote :

Does it work if the profile is modified to use the dac_override capability? As suggested by @sarnold in comment #1

Changed in isc-dhcp (Ubuntu):
status: Confirmed → Incomplete
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for isc-dhcp (Ubuntu) because there has been no activity for 60 days.]

Changed in isc-dhcp (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.