Ubuntu
isc-kea package

  1. Bug #2013539
  2. Activity log

Activity log for bug #2013539

Date Who What changed Old value New value Message
2023-03-31 12:09:45 Andreas Hasenack bug added bug
2023-03-31 12:17:10 Andreas Hasenack description Two bugs have been reported in debian that affect the ubuntu packaging as well, since we share the same apparmor profile: #1033640: kea-lfc missing read access to /etc/resolv.conf #1033639: kea-dhcp6-server wont start (apparmor and problems binding sockets) They were fixed with https://salsa.debian.org/debian/isc-kea/-/merge_requests/27 which was uploaded to debian experimental. I'm cherry-picking that fix here. Two bugs have been reported in debian that affect the ubuntu packaging as well, since we share the same apparmor profile: #1033640: kea-lfc missing read access to /etc/resolv.conf [Wed Mar 29 08:05:59 2023] audit: type=1400 audit(1680069960.544:88): apparmor="DENIED" operation="open" profile="kea-lfc" name="/etc/resolv.conf" pid=6641 comm="kea-lfc" requested_mask="r" denied_mask="r" fsuid=102 ouid=0 The existing apparmor profile expected /etc/resolv.conf to be a symlink to /run/systemd/resolve/stub-resolv.conf, which is ok for a default installation, but nowadays /etc/resolv.conf can be managed in multiple ways. It can be a symlink to other resolv conf providers, or even a normal file. The nameservice apparmor abstraction takes that into consideration, and much more. #1033639: kea-dhcp6-server wont start (apparmor and problems binding sockets) [Tue Mar 28 10:40:14 2023] audit: type=1400 audit(1679992815.512:30): apparmor="DENIED" operation="create" profile="kea-dhcp6" pid=1070 comm="kea-dhcp6" family="inet6" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" The dhcp6 server wasn't well tested with apparmor, and missed the obvious inet6 requirement. It never showed up during development because the VMs where this was tested didn't have IPv6 enabled, which is an obvious mistake. In this case, the nameservice abstraction also takes care of adding the missing inet6 rule, and also solved the other errors the reporter was having. They were fixed with https://salsa.debian.org/debian/isc-kea/-/merge_requests/27 which was uploaded to debian experimental. I'm cherry-picking that fix here. This adds the apparmor nameservice abstraction to all kea services.
2023-03-31 12:17:55 Andreas Hasenack isc-kea (Ubuntu): importance Undecided High
2023-04-01 22:21:58 Launchpad Janitor isc-kea (Ubuntu): status In Progress Fix Released