Apparmor Disallows Disabling Dhclient Scripts

Bug #2011628 reported by Brett Holman
This bug affects 1 person
Affects Status Importance Assigned to Milestone
isc-dhcp (Debian)
isc-dhcp (Ubuntu)

Bug Description

In some cases, it may be desirable to disable dhclient scripts. By default /sbin/dhclient-script is used, and some others are allowed by the apparmor profile.

Without Apparmor, disabling hook scripts can be accomplished with flags -sf /bin/true, but with apparmor enabled this gets blocked:

execve (/bin/true, ...): Permission denied

Unfortunately dhclient doesn't appear to provide any other mechanism for disabling hook scripts.

Tags: patch

Related branches

Revision history for this message
Brett Holman (holmanb) wrote :

Debdiff in the attached enables dhclient to execute dhclient with -sf /bin/true

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "isc-dhcp-apparmor-scripts-disable-fix.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Robie Basak (racb) wrote :

I wondered if this needed an FFe, but then I considered that we're fixing an Apparmor profile to do what the command would allow anyway, and I think that fixing Apparmor profiles is not something that generally would violate feature freeze. So I'm not bothering the release team with this one and am instead documenting why :-)

Changed in isc-dhcp (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in isc-dhcp (Debian):
status: Unknown → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.