On Wed, Apr 10, 2019 at 08:34:47AM -0000, Lars wrote: > [root@myhost:~]↥ 1 # namei -l /test/var/lib/dhcp/dhcpd.leases > f: /test/var/lib/dhcp/dhcpd.leases > drwxr-xr-x root root / > drwxr-xr-x dhcpd dhcpd test > drwxr-xr-x dhcpd dhcpd var > drwxr-xr-x dhcpd dhcpd lib > drwxr-xr-x dhcpd dhcpd dhcp > -rw-r--r-- dhcpd dhcpd dhcpd.leases
Note that these permissions don't allow root to write to this file UNLESS root uses the CAP_DAC_OVERRIDE permission is used. Thanks. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1823985 Title: isc-dhcp-server can't load leases file with apparmor enabled Status in isc-dhcp package in Ubuntu: New Bug description: I can't start isc-dhcp-server with apparmor enabled. I set a custom leases file in the dhcpd.conf: lease-file-name "/test/var/lib/dhcp/dhcpd.leases"; and created a custom apparmor profile for that in /etc/apparmor.d/local/usr.sbin.dhcpd: /test/var/lib/dhcp/dhcpd{,6}.leases* lrw, But when I try to start I see the following errors from dhcpd: Internet Systems Consortium DHCP Server 4.3.5 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcp/dhcpd.conf Database file: /test/var/lib/dhcp/dhcpd.leases PID file: /run/dhcp-server/dhcpd.pid Can't open /test/var/lib/dhcp/dhcpd.leases for append. If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging.. exiting. And in the messages log I can see errors like this: Apr 9 17:07:03.601 myhost dhcpd[27361]: Can't open /test/var/lib/dhcp/dhcpd.leases for append. Apr 9 17:07:03.601 myhost dhcpd[27361]: Apr 9 17:07:03.601 myhost dhcpd[27361]: If you think you have received this message due to a bug rather Apr 9 17:07:03.601 myhost dhcpd[27361]: than a configuration issue please read the section on submitting Apr 9 17:07:03.601 myhost dhcpd[27361]: bugs on either our web page at www.isc.org or in the README file Apr 9 17:07:03.601 myhost dhcpd[27361]: before submitting a bug. These pages explain the proper Apr 9 17:07:03.601 myhost dhcpd[27361]: process and the information we find helpful for debugging.. Apr 9 17:07:03.601 myhost dhcpd[27361]: Apr 9 17:07:03.601 myhost dhcpd[27361]: exiting. Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(1554822423.596:221): apparmor="DENIED" operation="capable" profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1 capname="dac_override" Apr 9 17:07:03.603 myhost kernel: audit: type=1400 audit(1554822423.596:221): apparmor="DENIED" operation="capable" profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1 capname="dac_override" After disabling apparmor for dhcpd everything works as expected: ln -s /etc/apparmor.d/usr.sbin.dhcpd /etc/apparmor.d/disable/ apparmor_parser -R /etc/apparmor.d/usr.sbin.dhcpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1823985/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
