@hloeung we fixed this in debian, but to backport it to noble would you kindly add information to the [test plan] above, i.e. what you can do to verify the bug is gone? Then once we placed the package to proposed, you could use this test to confirm we have indeed fixed the bug now.
** Description changed: + [ Impact ] + + * Apparmor denies access to lock the file /run/lock/kea/logger_lockfile + which is used by kea internally for its logging system. + + * Since this is intended, allowing the "k" mask resolves the problem + + [ Test Plan ] + + * TODO + + [ Where problems could occur ] + + * Since this is a just new permission allowed, regression potential is low. + * Otherwise, there could be issues due to the update rollout/service restart. + + [ Other Info ] + + * Fixed in debian through https://salsa.debian.org/debian/isc- + kea/-/merge_requests/62 + + [ Original report ] + Hi, Seeing: | [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.037:12140): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 | [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.039:12141): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 | [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.084:12142): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 | [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.085:12143): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 The AppArmor profile allows `file_lock` to `/run/kea/logger_lockfile` but not to `/run/lock/kea/logger_lockfile`. Changing it to this fixes it for me: ``` diff --git a/apparmor.d/usr.sbin.kea-lfc b/apparmor.d/usr.sbin.kea-lfc index ae165fa..11f6a92 100644 --- a/apparmor.d/usr.sbin.kea-lfc +++ b/apparmor.d/usr.sbin.kea-lfc @@ -11,7 +11,7 @@ profile kea-lfc /usr/sbin/kea-lfc { - /usr/sbin/kea-lfc mr, + /usr/sbin/kea-lfc mr, - owner /run/kea/logger_lockfile rwk, + owner /run/kea/logger_lockfile rwk, - owner /run/lock/kea/logger_lockfile rw, + owner /run/lock/kea/logger_lockfile rwk, - # Control sockets - # Before LP: #1863100, these were in /tmp. For compatibility, let's keep both + # Control sockets + # Before LP: #1863100, these were in /tmp. For compatibility, let's keep both ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2121327 Title: AppArmor missing file_lock for logger_lockfile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2121327/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
