| 2021-03-10 09:42:44 |
Anisse Astier |
bug |
|
|
added bug |
| 2021-03-26 20:56:30 |
Launchpad Janitor |
isc-dhcp (Ubuntu): status |
New |
Confirmed |
|
| 2021-03-27 08:29:49 |
Brian Weller |
bug |
|
|
added subscriber Brian Weller |
| 2021-04-02 15:58:09 |
Brian Murray |
tags |
|
focal |
|
| 2021-04-02 15:58:59 |
Brian Murray |
isc-dhcp (Ubuntu): status |
Confirmed |
Triaged |
|
| 2021-04-02 15:59:05 |
Brian Murray |
isc-dhcp (Ubuntu): importance |
Undecided |
Medium |
|
| 2021-08-17 16:41:56 |
Georgia Garcia |
tags |
focal |
focal hirsute |
|
| 2022-03-28 05:58:02 |
Daniel Richard G. |
tags |
focal hirsute |
focal hirsute jammy |
|
| 2022-06-21 09:47:12 |
Lukas Märdian |
nominated for series |
|
Ubuntu Focal |
|
| 2022-06-21 09:47:12 |
Lukas Märdian |
bug task added |
|
isc-dhcp (Ubuntu Focal) |
|
| 2022-06-21 09:47:12 |
Lukas Märdian |
nominated for series |
|
Ubuntu Kinetic |
|
| 2022-06-21 09:47:12 |
Lukas Märdian |
bug task added |
|
isc-dhcp (Ubuntu Kinetic) |
|
| 2022-06-21 09:47:12 |
Lukas Märdian |
nominated for series |
|
Ubuntu Impish |
|
| 2022-06-21 09:47:12 |
Lukas Märdian |
bug task added |
|
isc-dhcp (Ubuntu Impish) |
|
| 2022-06-21 09:47:12 |
Lukas Märdian |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-06-21 09:47:12 |
Lukas Märdian |
bug task added |
|
isc-dhcp (Ubuntu Jammy) |
|
| 2022-06-21 10:15:59 |
Lukas Märdian |
description |
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
|
| 2022-06-21 10:16:54 |
Lukas Märdian |
description |
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ netplan get
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
|
| 2022-06-21 10:17:22 |
Lukas Märdian |
description |
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ netplan get
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ netplan get
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there, especially not after a reboot
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
|
| 2022-06-21 10:24:48 |
Lukas Märdian |
description |
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ netplan get
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there, especially not after a reboot
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ netplan get
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
$ reboot
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there, especially not after a reboot
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
|
| 2022-06-21 10:25:24 |
Lukas Märdian |
description |
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ netplan get
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
$ reboot
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there, especially not after a reboot
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ netplan get
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
$ reboot
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there, especially not after a reboot
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a dynamic IP address got assigned via DHCP
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée) |
|
| 2022-06-21 10:46:29 |
Lukas Märdian |
isc-dhcp (Ubuntu Kinetic): status |
Triaged |
Fix Committed |
|
| 2022-06-21 10:46:31 |
Lukas Märdian |
isc-dhcp (Ubuntu Kinetic): assignee |
|
Lukas Märdian (slyon) |
|
| 2022-06-21 10:46:34 |
Lukas Märdian |
isc-dhcp (Ubuntu Jammy): status |
New |
In Progress |
|
| 2022-06-21 10:46:36 |
Lukas Märdian |
isc-dhcp (Ubuntu Impish): status |
New |
In Progress |
|
| 2022-06-21 10:46:38 |
Lukas Märdian |
isc-dhcp (Ubuntu Focal): status |
New |
In Progress |
|
| 2022-06-21 20:48:35 |
Launchpad Janitor |
isc-dhcp (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
| 2022-06-22 18:09:22 |
Robie Basak |
isc-dhcp (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2022-06-22 18:09:24 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-06-22 18:09:26 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
| 2022-06-22 18:09:29 |
Robie Basak |
tags |
focal hirsute jammy |
focal hirsute jammy verification-needed verification-needed-jammy |
|
| 2022-06-22 18:09:45 |
Robie Basak |
isc-dhcp (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
| 2022-06-22 18:09:49 |
Robie Basak |
tags |
focal hirsute jammy verification-needed verification-needed-jammy |
focal hirsute jammy verification-needed verification-needed-impish verification-needed-jammy |
|
| 2022-06-22 18:10:17 |
Robie Basak |
isc-dhcp (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2022-06-22 18:10:22 |
Robie Basak |
tags |
focal hirsute jammy verification-needed verification-needed-impish verification-needed-jammy |
focal hirsute jammy verification-needed verification-needed-focal verification-needed-impish verification-needed-jammy |
|
| 2022-06-23 12:27:06 |
Lukas Märdian |
tags |
focal hirsute jammy verification-needed verification-needed-focal verification-needed-impish verification-needed-jammy |
focal hirsute jammy verification-done-jammy verification-needed verification-needed-focal verification-needed-impish |
|
| 2022-06-23 12:49:31 |
Lukas Märdian |
tags |
focal hirsute jammy verification-done-jammy verification-needed verification-needed-focal verification-needed-impish |
focal hirsute jammy verification-done-focal verification-done-jammy verification-needed verification-needed-impish |
|
| 2022-06-23 12:56:34 |
Lukas Märdian |
tags |
focal hirsute jammy verification-done-focal verification-done-jammy verification-needed verification-needed-impish |
focal hirsute jammy verification-done-focal verification-done-impish verification-done-jammy verification-needed |
|
| 2022-07-04 08:30:29 |
Launchpad Janitor |
isc-dhcp (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2022-07-04 08:30:34 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2022-07-04 09:33:06 |
Launchpad Janitor |
isc-dhcp (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
| 2022-07-04 09:41:59 |
Launchpad Janitor |
isc-dhcp (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
