[Touch-packages] [Bug 1747333] Re: apparmor rules deny lease backup
These are not AppArmor messages. AppArmor messages clearly say apparmor="DENIED" or apparmor="ALLOWED" or similar. Audit message 1702 is generated when an application trips a link restriction denial: https://github.com/torvalds/linux/blob/master/kernel/audit.c#L2254 The "linkat" version of the message comes from: https://github.com/torvalds/linux/blob/master/fs/namei.c#L968 If you want to enable the unsafe hardlink behaviour you can set a sysctl to do so. (This is a homework problem left for the reader.) Audit message 1302 reports a filename: https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h#L89 Since this is the next audit record after the 1702 message, I believe this is just reporting *which* file was involved in the previous unsafe link behaviour. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1747333 Title: apparmor rules deny lease backup Status in isc-dhcp package in Ubuntu: New Bug description: Occasionally, I see this in my logs: Feb 4 02:27:07 giskard2 dhcpd[11485]: Can't backup lease database /var/lib/dhcp/dhcpd.leases to /var/lib/dhcp/dhcpd.leases~: Operation not permitted Feb 4 02:27:07 giskard2 kernel: [237980.192671] audit: type=1702 audit(1517711227.717:14): op=linkat ppid=1 pid=11485 auid=4294967295 uid=111 gid=121 euid=111 suid=111 fsuid=111 egid=121 sgid=121 fsgid=121 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" res=0 Feb 4 02:27:07 giskard2 kernel: [237980.192686] audit: type=1302 audit(1517711227.717:15): item=0 name="/var/lib/dhcp/dhcpd.leases" inode=3932557 dev=08:01 mode=0100644 ouid=0 ogid=121 rdev=00:00 nametype=NORMAL cap_fp= cap_fi= cap_fe=0 cap_fver=0 Essentially indicating that the apparmor profile has declined to allow a backup leases file to be created. However, the files does appear to be created. I am unsure why the message is being logged (is the file being created correctly? -- I do not know enough of dhcpd to tell). # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial # dpkg -l | grep dhcp ii isc-dhcp-client 4.3.3-5ubuntu12.7 amd64DHCP client for automatically obtaining an IP address ii isc-dhcp-common 4.3.3-5ubuntu12.7 amd64common files used by all of the isc-dhcp packages ii isc-dhcp-server 4.3.3-5ubuntu12.7 amd64ISC DHCP server for automatic IP address assignment ii wide-dhcpv6-client 20080615-16 amd64DHCPv6 client for automatic IPv6 hosts configuration # dpkg -l | grep apparmor ii apparmor2.10.95-0ubuntu2.7 amd64user-space parser utility for AppArmor ii apparmor-utils 2.10.95-0ubuntu2.7 amd64utilities for controlling AppArmor ii libapparmor-perl2.10.95-0ubuntu2.7 amd64AppArmor library Perl bindings ii libapparmor1:amd64 2.10.95-0ubuntu2.7 amd64changehat AppArmor library ii python3-apparmor2.10.95-0ubuntu2.7 amd64AppArmor Python3 utility library ii python3-libapparmor 2.10.95-0ubuntu2.7 amd64AppArmor library Python3 bindings # ls -la /var/lib/dhcp total 16 drwxrwsr-x 2 root dhcpd 4096 Feb 5 01:57 . drwxr-xr-x 52 root root 4096 Oct 3 2016 .. -rw-r--r-- 1 root dhcpd 1003 Feb 5 02:27 dhcpd.leases -rw-r--r-- 1 root dhcpd 1631 Feb 5 01:57 dhcpd.leases~ # find /etc/apparmor /etc/apparmor /etc/apparmor/init /etc/apparmor/init/network-interface-security /etc/apparmor/init/network-interface-security/sbin.dhclient /etc/apparmor/init/network-interface-security/usr.sbin.ntpd /etc/apparmor/severity.db /etc/apparmor/parser.conf /etc/apparmor/logprof.conf /etc/apparmor/subdomain.conf # find /etc/apparmor.d/ /etc/apparmor.d/ /etc/apparmor.d/usr.sbin.dhcpd /etc/apparmor.d/sbin.dhclient /etc/apparmor.d/usr.sbin.rsyslogd /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/usr.sbin.named /etc/apparmor.d/abstractions /etc/apparmor.d/abstractions/ubuntu-helpers /etc/apparmor.d/abstractions/kde /etc/apparmor.d/abstractions/dbus-session /etc/apparmor.d/abstractions/nis /etc/apparmor.d/abstractions/base /etc/apparmor.d/abstractions/apparmor_api /etc/apparmor.d/abstractions/apparmor_api/examine /etc/apparmor.d/abstractions/apparmor_api/introspect
[Touch-packages] [Bug 1747333] Re: apparmor rules deny lease backup
This problem looks very similiar to https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1543794 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1747333 Title: apparmor rules deny lease backup Status in isc-dhcp package in Ubuntu: New Bug description: Occasionally, I see this in my logs: Feb 4 02:27:07 giskard2 dhcpd[11485]: Can't backup lease database /var/lib/dhcp/dhcpd.leases to /var/lib/dhcp/dhcpd.leases~: Operation not permitted Feb 4 02:27:07 giskard2 kernel: [237980.192671] audit: type=1702 audit(1517711227.717:14): op=linkat ppid=1 pid=11485 auid=4294967295 uid=111 gid=121 euid=111 suid=111 fsuid=111 egid=121 sgid=121 fsgid=121 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" res=0 Feb 4 02:27:07 giskard2 kernel: [237980.192686] audit: type=1302 audit(1517711227.717:15): item=0 name="/var/lib/dhcp/dhcpd.leases" inode=3932557 dev=08:01 mode=0100644 ouid=0 ogid=121 rdev=00:00 nametype=NORMAL cap_fp= cap_fi= cap_fe=0 cap_fver=0 Essentially indicating that the apparmor profile has declined to allow a backup leases file to be created. However, the files does appear to be created. I am unsure why the message is being logged (is the file being created correctly? -- I do not know enough of dhcpd to tell). # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial # dpkg -l | grep dhcp ii isc-dhcp-client 4.3.3-5ubuntu12.7 amd64DHCP client for automatically obtaining an IP address ii isc-dhcp-common 4.3.3-5ubuntu12.7 amd64common files used by all of the isc-dhcp packages ii isc-dhcp-server 4.3.3-5ubuntu12.7 amd64ISC DHCP server for automatic IP address assignment ii wide-dhcpv6-client 20080615-16 amd64DHCPv6 client for automatic IPv6 hosts configuration # dpkg -l | grep apparmor ii apparmor2.10.95-0ubuntu2.7 amd64user-space parser utility for AppArmor ii apparmor-utils 2.10.95-0ubuntu2.7 amd64utilities for controlling AppArmor ii libapparmor-perl2.10.95-0ubuntu2.7 amd64AppArmor library Perl bindings ii libapparmor1:amd64 2.10.95-0ubuntu2.7 amd64changehat AppArmor library ii python3-apparmor2.10.95-0ubuntu2.7 amd64AppArmor Python3 utility library ii python3-libapparmor 2.10.95-0ubuntu2.7 amd64AppArmor library Python3 bindings # ls -la /var/lib/dhcp total 16 drwxrwsr-x 2 root dhcpd 4096 Feb 5 01:57 . drwxr-xr-x 52 root root 4096 Oct 3 2016 .. -rw-r--r-- 1 root dhcpd 1003 Feb 5 02:27 dhcpd.leases -rw-r--r-- 1 root dhcpd 1631 Feb 5 01:57 dhcpd.leases~ # find /etc/apparmor /etc/apparmor /etc/apparmor/init /etc/apparmor/init/network-interface-security /etc/apparmor/init/network-interface-security/sbin.dhclient /etc/apparmor/init/network-interface-security/usr.sbin.ntpd /etc/apparmor/severity.db /etc/apparmor/parser.conf /etc/apparmor/logprof.conf /etc/apparmor/subdomain.conf # find /etc/apparmor.d/ /etc/apparmor.d/ /etc/apparmor.d/usr.sbin.dhcpd /etc/apparmor.d/sbin.dhclient /etc/apparmor.d/usr.sbin.rsyslogd /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/usr.sbin.named /etc/apparmor.d/abstractions /etc/apparmor.d/abstractions/ubuntu-helpers /etc/apparmor.d/abstractions/kde /etc/apparmor.d/abstractions/dbus-session /etc/apparmor.d/abstractions/nis /etc/apparmor.d/abstractions/base /etc/apparmor.d/abstractions/apparmor_api /etc/apparmor.d/abstractions/apparmor_api/examine /etc/apparmor.d/abstractions/apparmor_api/introspect /etc/apparmor.d/abstractions/apparmor_api/change_profile /etc/apparmor.d/abstractions/apparmor_api/find_mountpoint /etc/apparmor.d/abstractions/apparmor_api/is_enabled /etc/apparmor.d/abstractions/nvidia /etc/apparmor.d/abstractions/ubuntu-browsers /etc/apparmor.d/abstractions/ubuntu-email /etc/apparmor.d/abstractions/apache2-common /etc/apparmor.d/abstractions/private-files /etc/apparmor.d/abstractions/user-mail /etc/apparmor.d/abstractions/kerberosclient /etc/apparmor.d/abstractions/X /etc/apparmor.d/abstractions/ubuntu-browsers.d /etc/apparmor.d/abstractions/ubuntu-browsers.d/kde /etc/apparmor.d/abstractions/ubuntu-browsers.d/mailto /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration