Hello everyone, Recently I tried to set up Kea for DHCP4 on a small Hyper-V internal network using Debian 12 on my guest. The network range is 192.168.15.0/24 and the IP address of the DHCP server is 192.168.15.2.
I have attempted to install Kea using `apt install kea` and disabling the kea-dhcp-ddns- server service. Instead, I will use a systemd unit of my own against kea-dhcp4 running under the _kea user. So far so good. When I attempted to start Kea as either _kea or root, it gave me the error below. Unable to use interprocess sync lockfile (Permission denied): /var/run/kea/logger_lockfile It turns out that this is a limitation imposed by AppArmor. When looking at the output of `journalctl | tail`, I see the following error message. Oct 21 16:10:32 dhcp audit[109415]: AVC apparmor="DENIED" operation="open" profile="kea-dhcp4" name="/run/kea/logger_lockfile" pid=109415 comm="kea-dhcp4" requested_mask="wrc" denied_mask="wrc" fsuid=102 ouid=102 For now I have simply moved the /etc/apparmor.d/usr.sbin.kea-dhcp4 file out of there, which seems to have solved the issue. I still do need to run the program as root however, it can't seem to bind to 67/udp as _kea. Considering that I'm on a limited schedule, and am already running this in Hyper-V using an internal switch, security is not my primary concern at this moment. But I don't think it's a great idea to keep this "hotfix" of mine (foregoing AppArmor for Kea altogether) left at rest for too long either. Below is the documentation I've used so far. https://kea.readthedocs.io/en/latest/arm/config.html#json-configuration[1] https://datatracker.ietf.org/doc/html/rfc7159[2] https://groups.google.com/g/linux.debian.bugs.dist/c/EyXCDu5yL4o?pli=1[3] https://wiki.debian.org/AppArmor/HowToUse[4] https://blog.frehi.be/2023/12/25/protecting-your-linux-server-against-security-exploits-with-apparmor/[5] https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#file-permissions[6] -- Met vriendelijke groet, Michael De Roover -------- [1] https://kea.readthedocs.io/en/latest/arm/config.html#json-configuration [2] https://datatracker.ietf.org/doc/html/rfc7159 [3] https://groups.google.com/g/linux.debian.bugs.dist/c/EyXCDu5yL4o?pli=1 [4] https://wiki.debian.org/AppArmor/HowToUse [5] https://blog.frehi.be/2023/12/25/protecting-your-linux-server-against-security-exploits-with-apparmor/ [6] https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#file-permissions
-- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
