Bug#1055067: isc-dhcp-client: network-manager 1.44.2-3 changed path to nm-dhcp-helper, apparmor need update

Fri, 23 Feb 2024 13:57:38 -0800 

El 30/10/23 a las 18:29, Sven-Haegar Koch escribió:
> Package: isc-dhcp-client
> Version: 4.4.3-P1-4
> Severity: normal
> 
> Dear Maintainer,
> 
> I am using network manager with /etc/NetworkManager/NetworkManager.conf
> 
>       [main]
>       dhcp=dhclient
> 
> and thus using isc-dhcp-client as my DHCP client.
> 
> With the update of network-manager 1.44.2-3 the nm-dhcp-helper moved
> from /usr/lib/NetworkManager/ to /usr/libexec/.
> 
> Without a fix to /etc/apparmor.d/sbin.dhclient the system now fails to
> activate interfaces using DHCP, logging
> 
> audit: type=1400 audit(1698680734.539:50): apparmor="DENIED" operation="exec" 
> class="file" profile="/{,usr/}sbin/dhclient" 
> name="/usr/libexec/nm-dhcp-helper" pid=7523 comm="dhclient" 
> requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> 
> The following diff fixes it for me - just duplicating the existing
> rules to the new path:
> 
> diff --git a/etc/apparmor.d/sbin.dhclient b/etc/apparmor.d/sbin.dhclient
> index 1acc6b92..b219d688 100644
> --- a/etc/apparmor.d/sbin.dhclient
> +++ b/etc/apparmor.d/sbin.dhclient
> @@ -69,6 +69,8 @@
>    # Support the new executable helper from NetworkManager.
>    /usr/lib/NetworkManager/nm-dhcp-helper          Pxrm,
>    signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
> +  /usr/libexec/nm-dhcp-helper                     Pxrm,
> +  signal (receive) peer=/usr/libexec/nm-dhcp-helper,
>  
>    # Site-specific additions and overrides. See local/README for details.
>    #include <local/sbin.dhclient>
> @@ -101,6 +103,21 @@
>    network inet6 dgram,
>  }
>  
> +/usr/libexec/nm-dhcp-helper {
> +  #include <abstractions/base>
> +  #include <abstractions/dbus>
> +  /usr/libexec/nm-dhcp-helper mr,
> +
> +  /run/NetworkManager/private-dhcp rw,
> +  signal (send) peer=/sbin/dhclient,
> +
> +  /var/lib/NetworkManager/*lease r,
> +  signal (receive) peer=/usr/sbin/NetworkManager,
> +  ptrace (readby) peer=/usr/sbin/NetworkManager,
> +  network inet dgram,
> +  network inet6 dgram,
> +}
> +
>  /usr/lib/connman/scripts/dhclient-script {
>    #include <abstractions/base>
>    #include <abstractions/dbus>
> 
> 
> Greetings,
> Sven

Hi!

Really sorry, this has fallen through the cracks.

Could you please confirm the version available in this repo fixes the
issue:

https://debian.pages.debian.net/-/isc-dhcp/-/jobs/5350735/artifacts/aptly/index.html

Cheers,

 -- Santiago

Attachment: signature.asc
Description: PGP signature

Reply via email to