[Touch-packages] [Bug 1901373] Re: isc-dhcp-server AppArmor Denied on /proc/sys/net/ipv4/ip_local_port_range
Confirm this is still a problem in
Description:Ubuntu 22.04.1 LTS
Release:22.04
Solution proposed worked for me on a stock Ubuntu install
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1901373
Title:
isc-dhcp-server AppArmor Denied on
/proc/sys/net/ipv4/ip_local_port_range
Status in isc-dhcp package in Ubuntu:
Confirmed
Bug description:
The following AppArmor denial errors are shown on startup:
Oct 25 00:52:00 xxx kernel: [ 556.231990] audit: type=1400
audit(1603601520.710:32): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 25 00:52:00 xxx kernel: [ 556.232257] audit: type=1400
audit(1603601520.710:33): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Fix is to edit /etc/apparmor.d/local/usr.sbin.dhcpd to have:
@{PROC}/sys/net/ipv4/ip_local_port_range r,
'lsb_release -rd':
Description:Ubuntu 20.04.1 LTS
Release:20.04
isc-dhcp-server:
Installed: 4.4.1-2.1ubuntu5
Candidate: 4.4.1-2.1ubuntu5
Version table:
*** 4.4.1-2.1ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
apparmor:
Installed: 2.13.3-7ubuntu5.1
Candidate: 2.13.3-7ubuntu5.1
Version table:
*** 2.13.3-7ubuntu5.1 500
500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.13.3-7ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1901373/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1901373] Re: isc-dhcp-server AppArmor Denied on /proc/sys/net/ipv4/ip_local_port_range
@norm-audrey as I read it the proposed fix does not contain a '''
character. It is the single line
@{PROC}/sys/net/ipv4/ip_local_port_range r,
do you perhaps also copy the following line?
'lsb_release -rd':
That would indeed result in the reported error. I am not sure how the
profile in comment #4 would fix the originally reported deny message
except by causing dhcpd to not use the code path resulting in the
denial.
As for the difference between the two profiles. They don't have a completely
different form, both have evolved from a similar base so they have much in
common but do have some differences. The profile from
https://github.com/Harvie/AppArmor-Profiles/blob/master/usr.sbin.dhcpd is an
older version of the one carried by the upstream project
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/usr.sbin.dhcpd.
Beyond whitespace differences I see
different conf file locations
/etc/dhcpd.conf r,
/etc/named.d/*r,
vs.
/etc/dhcp/dhcpd.conf r,
/etc/dhcp/dhcpd6.conf r,
/etc/bind/* r,
broader lease location in the old upstream version
/var/lib/dhcp/{db/,}dhcpd.leases* rwl,
vs.
/var/lib/dhcp/dhcpd6.leases* rwl,
support for ipv6 leases in your version
/var/lib/dhcp/{db/,}dhcpd.leases* rwl,
vs
/var/lib/dhcp/dhcpd.leases* rwl,
/var/lib/dhcp/dhcpd6.leases* rwl,
note: current upstream has broader leases and ipv6
/var/lib/dhcp/{db/,}dhcpd{6,}.leases* rwl,
different pid file location
/{,var/}run/dhcpd.pid wl
vs.
/{,var/}run/dhcp-server/dhcpd.pid wl,
Some of this could come down to system configuration of dhcpd.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1901373
Title:
isc-dhcp-server AppArmor Denied on
/proc/sys/net/ipv4/ip_local_port_range
Status in isc-dhcp package in Ubuntu:
Confirmed
Bug description:
The following AppArmor denial errors are shown on startup:
Oct 25 00:52:00 xxx kernel: [ 556.231990] audit: type=1400
audit(1603601520.710:32): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 25 00:52:00 xxx kernel: [ 556.232257] audit: type=1400
audit(1603601520.710:33): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Fix is to edit /etc/apparmor.d/local/usr.sbin.dhcpd to have:
@{PROC}/sys/net/ipv4/ip_local_port_range r,
'lsb_release -rd':
Description:Ubuntu 20.04.1 LTS
Release:20.04
isc-dhcp-server:
Installed: 4.4.1-2.1ubuntu5
Candidate: 4.4.1-2.1ubuntu5
Version table:
*** 4.4.1-2.1ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
apparmor:
Installed: 2.13.3-7ubuntu5.1
Candidate: 2.13.3-7ubuntu5.1
Version table:
*** 2.13.3-7ubuntu5.1 500
500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.13.3-7ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1901373/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1901373] Re: isc-dhcp-server AppArmor Denied on /proc/sys/net/ipv4/ip_local_port_range
Admitting I know very little about apparmor, here is the profile that worked
for me:
# cat /etc/apparmor.d/usr.sbin.dhcpd
# vim:syntax=apparmor
#include
/usr/sbin/dhcpd {
#include
#include
capability chown,
capability dac_override,
capability net_bind_service,
capability net_raw,
capability setgid,
capability setuid,
capability sys_chroot,
network inet raw,
network packet raw,
/etc/dhcp/dhcpd.conf r,
/etc/dhcp/dhcpd6.conf r,
/etc/bind/* r,
/etc/hosts.allow r,
/etc/hosts.deny r,
@{PROC}/net/dev r,
/usr/sbin/dhcpd rmix,
/var/lib/dhcp/dhcpd.leases* rwl,
/var/lib/dhcp/dhcpd6.leases* rwl,
/{,var/}run/dhcp-server/dhcpd.pid wl,
}
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1901373
Title:
isc-dhcp-server AppArmor Denied on
/proc/sys/net/ipv4/ip_local_port_range
Status in isc-dhcp package in Ubuntu:
Confirmed
Bug description:
The following AppArmor denial errors are shown on startup:
Oct 25 00:52:00 xxx kernel: [ 556.231990] audit: type=1400
audit(1603601520.710:32): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 25 00:52:00 xxx kernel: [ 556.232257] audit: type=1400
audit(1603601520.710:33): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Fix is to edit /etc/apparmor.d/local/usr.sbin.dhcpd to have:
@{PROC}/sys/net/ipv4/ip_local_port_range r,
'lsb_release -rd':
Description:Ubuntu 20.04.1 LTS
Release:20.04
isc-dhcp-server:
Installed: 4.4.1-2.1ubuntu5
Candidate: 4.4.1-2.1ubuntu5
Version table:
*** 4.4.1-2.1ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
apparmor:
Installed: 2.13.3-7ubuntu5.1
Candidate: 2.13.3-7ubuntu5.1
Version table:
*** 2.13.3-7ubuntu5.1 500
500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.13.3-7ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1901373/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1901373] Re: isc-dhcp-server AppArmor Denied on /proc/sys/net/ipv4/ip_local_port_range
Proposed fix does not work for me, gives AppArmor parser error at line
3: Found unexpected character '''
I am also puzzled that this apparmor profile is completely different in form
than others proposed e.g. at:
https://github.com/Harvie/AppArmor-Profiles/blob/master/usr.sbin.dhcpd
???
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1901373
Title:
isc-dhcp-server AppArmor Denied on
/proc/sys/net/ipv4/ip_local_port_range
Status in isc-dhcp package in Ubuntu:
Confirmed
Bug description:
The following AppArmor denial errors are shown on startup:
Oct 25 00:52:00 xxx kernel: [ 556.231990] audit: type=1400
audit(1603601520.710:32): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 25 00:52:00 xxx kernel: [ 556.232257] audit: type=1400
audit(1603601520.710:33): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Fix is to edit /etc/apparmor.d/local/usr.sbin.dhcpd to have:
@{PROC}/sys/net/ipv4/ip_local_port_range r,
'lsb_release -rd':
Description:Ubuntu 20.04.1 LTS
Release:20.04
isc-dhcp-server:
Installed: 4.4.1-2.1ubuntu5
Candidate: 4.4.1-2.1ubuntu5
Version table:
*** 4.4.1-2.1ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
apparmor:
Installed: 2.13.3-7ubuntu5.1
Candidate: 2.13.3-7ubuntu5.1
Version table:
*** 2.13.3-7ubuntu5.1 500
500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.13.3-7ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1901373/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1901373] Re: isc-dhcp-server AppArmor Denied on /proc/sys/net/ipv4/ip_local_port_range
I can confirm that I am seeing this same behavior. The proposed fix also
worked for me.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1901373
Title:
isc-dhcp-server AppArmor Denied on
/proc/sys/net/ipv4/ip_local_port_range
Status in isc-dhcp package in Ubuntu:
Confirmed
Bug description:
The following AppArmor denial errors are shown on startup:
Oct 25 00:52:00 xxx kernel: [ 556.231990] audit: type=1400
audit(1603601520.710:32): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 25 00:52:00 xxx kernel: [ 556.232257] audit: type=1400
audit(1603601520.710:33): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Fix is to edit /etc/apparmor.d/local/usr.sbin.dhcpd to have:
@{PROC}/sys/net/ipv4/ip_local_port_range r,
'lsb_release -rd':
Description:Ubuntu 20.04.1 LTS
Release:20.04
isc-dhcp-server:
Installed: 4.4.1-2.1ubuntu5
Candidate: 4.4.1-2.1ubuntu5
Version table:
*** 4.4.1-2.1ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
apparmor:
Installed: 2.13.3-7ubuntu5.1
Candidate: 2.13.3-7ubuntu5.1
Version table:
*** 2.13.3-7ubuntu5.1 500
500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.13.3-7ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1901373/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1901373] Re: isc-dhcp-server AppArmor Denied on /proc/sys/net/ipv4/ip_local_port_range
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: isc-dhcp (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1901373
Title:
isc-dhcp-server AppArmor Denied on
/proc/sys/net/ipv4/ip_local_port_range
Status in isc-dhcp package in Ubuntu:
Confirmed
Bug description:
The following AppArmor denial errors are shown on startup:
Oct 25 00:52:00 xxx kernel: [ 556.231990] audit: type=1400
audit(1603601520.710:32): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 25 00:52:00 xxx kernel: [ 556.232257] audit: type=1400
audit(1603601520.710:33): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range"
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Fix is to edit /etc/apparmor.d/local/usr.sbin.dhcpd to have:
@{PROC}/sys/net/ipv4/ip_local_port_range r,
'lsb_release -rd':
Description:Ubuntu 20.04.1 LTS
Release:20.04
isc-dhcp-server:
Installed: 4.4.1-2.1ubuntu5
Candidate: 4.4.1-2.1ubuntu5
Version table:
*** 4.4.1-2.1ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
apparmor:
Installed: 2.13.3-7ubuntu5.1
Candidate: 2.13.3-7ubuntu5.1
Version table:
*** 2.13.3-7ubuntu5.1 500
500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.13.3-7ubuntu5 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1901373/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
