** Description changed: [ Impact ] - * Apparmor denies access to lock the file /run/lock/kea/logger_lockfile - which is used by kea internally for its logging system. + * Apparmor denies access to lock the file /run/lock/kea/logger_lockfile + which is used by kea internally for its logging system. - * Since this is intended, allowing the "k" mask resolves the problem + * Since this is intended, allowing the "k" mask resolves the problem [ Test Plan ] - * TODO + * install kea-dhcp4-server + * start kea-dhcp4-server.service + * execute the lease file cleanup service: kea-lfc -d [ Where problems could occur ] - * Since this is a just new permission allowed, regression potential is low. - * Otherwise, there could be issues due to the update rollout/service restart. + * Since this is a just new permission allowed, regression potential is low. + * Otherwise, there could be issues due to the update rollout/service restart. [ Other Info ] - * Fixed in debian through https://salsa.debian.org/debian/isc- + * Fixed in debian through https://salsa.debian.org/debian/isc- kea/-/merge_requests/62 [ Original report ] Hi, Seeing: | [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.037:12140): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 | [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.039:12141): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 | [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.084:12142): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 | [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.085:12143): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 The AppArmor profile allows `file_lock` to `/run/kea/logger_lockfile` but not to `/run/lock/kea/logger_lockfile`. Changing it to this fixes it for me: ``` diff --git a/apparmor.d/usr.sbin.kea-lfc b/apparmor.d/usr.sbin.kea-lfc index ae165fa..11f6a92 100644 --- a/apparmor.d/usr.sbin.kea-lfc +++ b/apparmor.d/usr.sbin.kea-lfc @@ -11,7 +11,7 @@ profile kea-lfc /usr/sbin/kea-lfc { /usr/sbin/kea-lfc mr, owner /run/kea/logger_lockfile rwk, - owner /run/lock/kea/logger_lockfile rw, + owner /run/lock/kea/logger_lockfile rwk, # Control sockets # Before LP: #1863100, these were in /tmp. For compatibility, let's keep both ```
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2121327 Title: AppArmor missing file_lock for logger_lockfile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2121327/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
