On Tue, Apr 09, 2019 at 03:15:26PM -0000, Lars wrote:
> I set a custom leases file in the dhcpd.conf:
> lease-file-name "/test/var/lib/dhcp/dhcpd.leases";
>
> and created a custom apparmor profile for that in
> /etc/apparmor.d/local/usr.sbin.dhcpd:
> /test/var/lib/dhcp/dhcpd{,6}.leases* lrw,
>
> But when I try to start I see the following errors from dhcpd:
> Apr 9 17:07:03.603 myhost kernel: audit: type=1400
> audit(1554822423.596:221): apparmor="DENIED" operation="capable"
> profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1
> capname="dac_override"
> Apr 9 17:07:03.603 myhost kernel: audit: type=1400
> audit(1554822423.596:221): apparmor="DENIED" operation="capable"
> profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1
> capname="dac_override"
Hello Lars, this is indicating that the dhcpd service is trying to use
root's capability to bypass permissions to use this file. I suggest
checking the owner, group, and permissions of all directories and the
lease file. (namei -l /test/var/lib/dhcp/dhcpd.leases can be handy
for this.)
If all those owners and permissions are as you intended and you want the
dhcpd service to use root powers to access the file, then you'll also need
to modify the profile to allow the dhcpd daemon to use the dac_override:
capability dac_override,
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1823985
Title:
isc-dhcp-server can't load leases file with apparmor enabled
Status in isc-dhcp package in Ubuntu:
New
Bug description:
I can't start isc-dhcp-server with apparmor enabled.
I set a custom leases file in the dhcpd.conf:
lease-file-name "/test/var/lib/dhcp/dhcpd.leases";
and created a custom apparmor profile for that in
/etc/apparmor.d/local/usr.sbin.dhcpd:
/test/var/lib/dhcp/dhcpd{,6}.leases* lrw,
But when I try to start I see the following errors from dhcpd:
Internet Systems Consortium DHCP Server 4.3.5
Copyright 2004-2016 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /etc/dhcp/dhcpd.conf
Database file: /test/var/lib/dhcp/dhcpd.leases
PID file: /run/dhcp-server/dhcpd.pid
Can't open /test/var/lib/dhcp/dhcpd.leases for append.
If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug. These pages explain the proper
process and the information we find helpful for debugging..
exiting.
And in the messages log I can see errors like this:
Apr 9 17:07:03.601 myhost dhcpd[27361]: Can't open
/test/var/lib/dhcp/dhcpd.leases for append.
Apr 9 17:07:03.601 myhost dhcpd[27361]:
Apr 9 17:07:03.601 myhost dhcpd[27361]: If you think you have received this
message due to a bug rather
Apr 9 17:07:03.601 myhost dhcpd[27361]: than a configuration issue please
read the section on submitting
Apr 9 17:07:03.601 myhost dhcpd[27361]: bugs on either our web page at
www.isc.org or in the README file
Apr 9 17:07:03.601 myhost dhcpd[27361]: before submitting a bug. These
pages explain the proper
Apr 9 17:07:03.601 myhost dhcpd[27361]: process and the information we find
helpful for debugging..
Apr 9 17:07:03.601 myhost dhcpd[27361]:
Apr 9 17:07:03.601 myhost dhcpd[27361]: exiting.
Apr 9 17:07:03.603 myhost kernel: audit: type=1400
audit(1554822423.596:221): apparmor="DENIED" operation="capable"
profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1
capname="dac_override"
Apr 9 17:07:03.603 myhost kernel: audit: type=1400
audit(1554822423.596:221): apparmor="DENIED" operation="capable"
profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1
capname="dac_override"
After disabling apparmor for dhcpd everything works as expected:
ln -s /etc/apparmor.d/usr.sbin.dhcpd /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.dhcpd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1823985/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
