On Tue, Apr 09, 2019 at 03:15:26PM -0000, Lars wrote:
> I set a custom leases file in the dhcpd.conf:
> lease-file-name "/test/var/lib/dhcp/dhcpd.leases";
>
> and created a custom apparmor profile for that in
> /etc/apparmor.d/local/usr.sbin.dhcpd:
> /test/var/lib/dhcp/dhcpd{,6}.leases* lrw,
>
> But when I try to start I see the following errors from dhcpd:
> Apr 9 17:07:03.603 myhost kernel: audit: type=1400
> audit(1554822423.596:221): apparmor="DENIED" operation="capable"
> profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1
> capname="dac_override"
> Apr 9 17:07:03.603 myhost kernel: audit: type=1400
> audit(1554822423.596:221): apparmor="DENIED" operation="capable"
> profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1
> capname="dac_override"
Hello Lars, this is indicating that the dhcpd service is trying to use
root's capability to bypass permissions to use this file. I suggest
checking the owner, group, and permissions of all directories and the
lease file. (namei -l /test/var/lib/dhcp/dhcpd.leases can be handy
for this.)
If all those owners and permissions are as you intended and you want the
dhcpd service to use root powers to access the file, then you'll also need
to modify the profile to allow the dhcpd daemon to use the dac_override:
capability dac_override,
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1823985
Title:
isc-dhcp-server can't load leases file with apparmor enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1823985/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
