[Touch-packages] [Bug 1901373] Re: isc-dhcp-server AppArmor Denied on /proc/sys/net/ipv4/ip_local_port_range

Wed, 19 May 2021 01:01:40 -0700 

Admitting I know very little about apparmor, here is the profile that worked 
for me:
# cat /etc/apparmor.d/usr.sbin.dhcpd

# vim:syntax=apparmor

#include <tunables/global>

/usr/sbin/dhcpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability chown,
  capability dac_override,
  capability net_bind_service,
  capability net_raw,
  capability setgid,
  capability setuid,
  capability sys_chroot,

  network inet raw,
  network packet raw,

  /etc/dhcp/dhcpd.conf  r,
  /etc/dhcp/dhcpd6.conf r,
  /etc/bind/*           r,
  /etc/hosts.allow      r,
  /etc/hosts.deny       r,
  @{PROC}/net/dev       r,
  /usr/sbin/dhcpd       rmix,
  /var/lib/dhcp/dhcpd.leases*   rwl,
  /var/lib/dhcp/dhcpd6.leases*  rwl,
  /{,var/}run/dhcp-server/dhcpd.pid     wl,
}

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1901373

Title:
  isc-dhcp-server AppArmor Denied on
  /proc/sys/net/ipv4/ip_local_port_range

Status in isc-dhcp package in Ubuntu:
  Confirmed

Bug description:
  The following AppArmor denial errors are shown on startup:

  Oct 25 00:52:00 xxx kernel: [  556.231990] audit: type=1400 
audit(1603601520.710:32): apparmor="DENIED" operation="open" 
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" 
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Oct 25 00:52:00 xxx kernel: [  556.232257] audit: type=1400 
audit(1603601520.710:33): apparmor="DENIED" operation="open" 
profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" 
pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  
  Fix is to edit /etc/apparmor.d/local/usr.sbin.dhcpd to have:
  @{PROC}/sys/net/ipv4/ip_local_port_range r,


  'lsb_release -rd':
  Description:    Ubuntu 20.04.1 LTS
  Release:        20.04

  isc-dhcp-server:
    Installed: 4.4.1-2.1ubuntu5
    Candidate: 4.4.1-2.1ubuntu5
    Version table:
   *** 4.4.1-2.1ubuntu5 500
          500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
          100 /var/lib/dpkg/status

  apparmor:
    Installed: 2.13.3-7ubuntu5.1
    Candidate: 2.13.3-7ubuntu5.1
    Version table:
   *** 2.13.3-7ubuntu5.1 500
          500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       2.13.3-7ubuntu5 500
          500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1901373/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to