[Touch-packages] [Bug 1918410] Re: isc-dhcp-client denied by apparmor

Sat, 27 Mar 2021 05:31:01 -0700 

Okay adding the suggested rule


works for me. So it would seem dhclient is treating denied access to comm as a 
fatal error.

Interestingly I also had it throw a rejection for capability sys_module

[ 1645.480546] audit: type=1400 audit(1616847221.859:73):
apparmor="DENIED" operation="capable" profile="/{,usr/}sbin/dhclient"
pid=3380 comm="dhclient" capability=16  capname="sys_module"

which should not generally be required anymore. See
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1759032

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1918410

Title:
  isc-dhcp-client denied by apparmor

Status in isc-dhcp package in Ubuntu:
  Confirmed

Bug description:
  Hi, I get weird errors in the audit log, seeing dhclient is being
  denied reading its comm or the comm of one of its tasks:

  
  [1383307.827378] audit: type=1400 audit(1615367094.054:162): 
apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" 
name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" 
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

  This might or might not be linked with the fact that I can't get an
  IPv4 on this interface. Note that it happened to other, see this
  comment:

  https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8

  Or even an article recommending disabling apparmor for dhclient(!):
  
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/

  
  As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, 
because running it manually *does* succeed in getting an IP. And running it in 
strace shows the EACCES failure:

  [pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: 
Process 1095211 attached
  ) = -1 EACCES (Permission non accordée)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to