[Bug 2121327] [NEW] AppArmor missing file_lock for logger_lockfile

Sun, 24 Aug 2025 15:25:33 -0700 

Public bug reported:

Hi,

Seeing:

| [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.037:12140): 
apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" 
name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" 
requested_mask="k" denied_mask="k" fsuid=114 ouid=114
| [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.039:12141): 
apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" 
name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" 
requested_mask="k" denied_mask="k" fsuid=114 ouid=114
| [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.084:12142): 
apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" 
name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" 
requested_mask="k" denied_mask="k" fsuid=114 ouid=114
| [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.085:12143): 
apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" 
name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" 
requested_mask="k" denied_mask="k" fsuid=114 ouid=114

The AppArmor profile allows `file_lock` to `/run/kea/logger_lockfile`
but not to `/run/lock/kea/logger_lockfile`. Changing it to this fixes it
for me:

```
diff --git a/apparmor.d/usr.sbin.kea-lfc b/apparmor.d/usr.sbin.kea-lfc
index ae165fa..11f6a92 100644
--- a/apparmor.d/usr.sbin.kea-lfc
+++ b/apparmor.d/usr.sbin.kea-lfc
@@ -11,7 +11,7 @@ profile kea-lfc /usr/sbin/kea-lfc {
   /usr/sbin/kea-lfc mr,

   owner /run/kea/logger_lockfile rwk,
-  owner /run/lock/kea/logger_lockfile rw,
+  owner /run/lock/kea/logger_lockfile rwk,

   # Control sockets
   # Before LP: #1863100, these were in /tmp. For compatibility, let's keep both
```

** Affects: isc-kea (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: isc-kea (Ubuntu Noble)
     Importance: Undecided
         Status: New

** Also affects: isc-kea (Ubuntu Noble)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2121327

Title:
  AppArmor missing file_lock for logger_lockfile

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2121327/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to