apparmor profile for sbin.dhclient3 not compatible with wicd

Bug #588635 reported by Koos van den Hout on 2010-06-02
68
This bug affects 12 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Undecided
Unassigned
Oneiric
Undecided
Unassigned

Bug Description

SRU:

[Impact]
Extends apparmor profile to work with wicd. There are quite a few users that depend on wicd so impact is proportionate to those affected.

[Test Case]
Binary package hint: wicd

I set some options for dhclient3 in /etc/wicd/dhclient.conf.template and noticed they were not being used. Some further searching showed me the following syslog entry:

Jun 2 10:09:44 machiavelli kernel: [107612.391626] type=1503 audit(1275466184.529:22): operation="open" pid=28884 parent=28838 profile="/sbin/dhclient3" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/lib/wicd/dhclient.conf"

Editing /etc/apparmor.d/sbin.dhclient3 with an entry:

  # wicd
  /var/lib/wicd/* r,

(and reloading apparmor) fixed the problem.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: wicd-daemon 1.7.0+ds1-2
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Wed Jun 2 10:22:30 2010
PackageArchitecture: all
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: wicd

[Regression Potential]
The regression potential should be minimal as this extends apparmor to allow read access into /var/lib/wicd via dhclient

Koos van den Hout (koos-kzdoos) wrote :
Susan Cragin (susancragin) wrote :

I am in Maverick with kernel 2.6.34-5-generic.
My wicd worked until a week or so ago.
(Note: I used wicd and wicd-gtk because I run fluxbox sometimes, instead of gnome.)

Martin Kalén (martin-kalen) wrote :

This also affects wicd on Kubuntu 10.10/Maverick.

$ lsb_release -dc
Description: Ubuntu 10.10
Codename: maverick

$ uname -a
Linux xpc 2.6.35-22-generic #35-Ubuntu SMP Sat Oct 16 20:45:36 UTC 2010 x86_64 GNU/Linux

wicd-daemon version: 1.7.0+ds1-5

Richard Decal (crypdick) wrote :

This bug affects wicd on Ubuntu 10.10 64-bit running on a Macbook 5,1 with kernel 2.6.35-23-generic

dmesg gets spammed with these messages:

[14696.696704] type=1400 audit(1291334972.805:25): apparmor="DENIED" operation="open" parent=18918 profile="/sbin/dhclient3" name="/var/lib/wicd/dhclient.conf" pid=18938 comm="dhclient" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Adding the lines fixed the problem. Thanks! :)

jhansonxi (jhansonxi) wrote :

I also get this in 10.04. Its gets stuck connecting via wireless with "obtaining IP address". Adding the lines to sbin.dhclient3 after the Network Manager entry solved the problem.

Giovanni Panozzo (giox069) wrote :

I confirm the bug: I just uninstalled NetworkManager and installed wicd. I set the option "Use DHCP hostname" with the wicd-curses configuration tool, which in turn creates /var/lib/wicd/dhclient.conf.
But the DHCP server still not getting the hostname from the DHCP request. So I noticed the apparmor read "DENIED" message as posted on this bug repord and I fixed as shown on the 1st post.
Platform: Ubuntu 10.10 32bit on dual core atom D510 (Shuttle XS35GT).

jhansonxi (jhansonxi) on 2011-03-06
Changed in wicd (Ubuntu):
status: New → Confirmed
Marty Labatt (martylab) wrote :

Still seems to be an issue with natty 11.04
Linux homer 2.6.38-12-generic-pae #51-Ubuntu SMP Wed Sep 28 16:11:32 UTC 2011 i686 i686 i386 GNU/Linux

Could the fix given by Koos in post #1 be rolled out? I would if I knew how. Pointer?

David Paleino (dpaleino) wrote :

Given the provided fix, this seems something to be fixed in apparmor. Reassigning the bug.

affects: wicd (Ubuntu) → apparmor (Ubuntu)
David Paleino (dpaleino) wrote :

Ooops, I mean isc-dhcp-client.

affects: apparmor (Ubuntu) → isc-dhcp (Ubuntu)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu4

---------------
isc-dhcp (4.1.ESV-R4-0ubuntu4) precise; urgency=low

  * debian/apparmor-profile.dhcpd:
    - allow writes to the compiled in default pid file (LP: #974054)
    - allow reads to /var/lib/wicd/* (LP: #588635)
 -- Jamie Strandboge <email address hidden> Thu, 05 Apr 2012 07:19:11 -0500

Changed in isc-dhcp (Ubuntu):
status: Confirmed → Fix Released
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in isc-dhcp (Ubuntu Oneiric):
status: New → Confirmed

Hello Koos, or anyone else affected,

Accepted isc-dhcp into oneiric-proposed. The package will build now and be available in a few hours. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in isc-dhcp (Ubuntu Oneiric):
status: Confirmed → Fix Committed
tags: added: verification-needed
Marc Deslauriers (mdeslaur) wrote :

The Oneiric package in -proposed got superseded by a security update, and needs to be re-uploaded.

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in isc-dhcp (Ubuntu Oneiric):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers