Comment 3 for bug 341817

i'd like to bump this entry a bit - if nothing else, to understand better why exactly this doesn't work.

as the user dhcpd runs as (dhcpd), i can read the key file (by way of a symlink, in my case):

>whoami
dhcpd

>id dhcpd
uid=105(dhcpd) gid=113(dhcpd) groups=113(dhcpd),999(ddns)

>ls -Alh
total 20K
lrwxrwxrwx 1 root root 29 2010-03-07 16:12 ddns-key-1.key -> /etc/bind/keys/ddns-key-1.key
-rw-r----- 1 root dhcpd 148 2009-12-01 20:14 ddns-key-1.key.old
drwxr-xr-x 2 root root 4.0K 2010-02-15 20:29 dhclient-enter-hooks.d
drwxr-xr-x 2 root root 4.0K 2009-12-16 12:17 dhclient-exit-hooks.d
-rw-r----- 1 root dhcpd 4.1K 2009-12-01 20:17 dhcpd.conf

>ls -alh /etc/bind/keys/ddns-key-1.key
-rw-r----- 1 root ddns 148 2009-12-01 15:24 /etc/bind/keys/ddns-key-1.key

>cat ddns-key-1.key
key ddns-key-1 {
        algorithm hmac-md5;
 secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};

yet (as in the initial report) when started via it's init script, /usr/sbin/dhcpd can not:

>/etc/init.d/dhcp3-server start
dhcpd self-test failed. Please fix the config file.
The error was:
Internet Systems Consortium DHCP Server V3.1.2
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Can't open /etc/dhcp3/ddns-key-1.key: Permission denied

why doesn't this work? what is different when dhcpd is started via it's init script and privs are dropped to the user named dhcpd? i've adjusted the apparmor settings for dhcpd, and there are no audit entries for apparmor being logged - what is preventing this file from being read?