isc-dhcp-server can't load leases file with apparmor enabled
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| isc-dhcp (Ubuntu) |
Expired
|
Low
|
Unassigned | ||
Bug Description
I can't start isc-dhcp-server with apparmor enabled.
I set a custom leases file in the dhcpd.conf:
lease-file-name "/test/
and created a custom apparmor profile for that in /etc/apparmor.
/test/var/
But when I try to start I see the following errors from dhcpd:
Internet Systems Consortium DHCP Server 4.3.5
Copyright 2004-2016 Internet Systems Consortium.
All rights reserved.
For info, please visit https:/
Config file: /etc/dhcp/
Database file: /test/var/
PID file: /run/dhcp-
Can't open /test/var/
If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug. These pages explain the proper
process and the information we find helpful for debugging..
exiting.
And in the messages log I can see errors like this:
Apr 9 17:07:03.601 myhost dhcpd[27361]: Can't open /test/var/
Apr 9 17:07:03.601 myhost dhcpd[27361]:
Apr 9 17:07:03.601 myhost dhcpd[27361]: If you think you have received this message due to a bug rather
Apr 9 17:07:03.601 myhost dhcpd[27361]: than a configuration issue please read the section on submitting
Apr 9 17:07:03.601 myhost dhcpd[27361]: bugs on either our web page at www.isc.org or in the README file
Apr 9 17:07:03.601 myhost dhcpd[27361]: before submitting a bug. These pages explain the proper
Apr 9 17:07:03.601 myhost dhcpd[27361]: process and the information we find helpful for debugging..
Apr 9 17:07:03.601 myhost dhcpd[27361]:
Apr 9 17:07:03.601 myhost dhcpd[27361]: exiting.
Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(155482242
Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(155482242
After disabling apparmor for dhcpd everything works as expected:
ln -s /etc/apparmor.
apparmor_parser -R /etc/apparmor.
| Seth Arnold (seth-arnold) wrote Re: [Bug 1823985] [NEW] isc-dhcp-server can't load leases file with apparmor enabled | #1 |
| Lars (l4rs) wrote | #2 |
| Seth Arnold (seth-arnold) wrote Re: [Bug 1823985] Re: isc-dhcp-server can't load leases file with apparmor enabled | #3 |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in isc-dhcp (Ubuntu): | |
| status: | New → Confirmed |
| Lukas Märdian (slyon) wrote | #5 |
| Changed in isc-dhcp (Ubuntu): | |
| status: | Confirmed → Incomplete |
| importance: | Undecided → Low |
| Launchpad Janitor (janitor) wrote | #6 |
| Changed in isc-dhcp (Ubuntu): | |
| status: | Incomplete → Expired |
On Tue, Apr 09, 2019 at 03:15:26PM -0000, Lars wrote:
> I set a custom leases file in the dhcpd.conf:
> lease-file-name "/test/
>
> and created a custom apparmor profile for that in /etc/apparmor.
> /test/var/
>
> But when I try to start I see the following errors from dhcpd:
> Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(155482242
> Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(155482242
Hello Lars, this is indicating that the dhcpd service is trying to use
root's capability to bypass permissions to use this file. I suggest
checking the owner, group, and permissions of all directories and the
lease file. (namei -l /test/var/
for this.)
If all those owners and permissions are as you intended and you want the
dhcpd service to use root powers to access the file, then you'll also need
to modify the profile to allow the dhcpd daemon to use the dac_override:
capability dac_override,
Thanks