** Description changed: [ Impact ] * Apparmor denies access to lock the file /run/lock/kea/logger_lockfile which is used by kea internally for its logging system. * Since this is intended, allowing the "k" mask resolves the problem [ Test Plan ] - * install kea-dhcp4-server - * start kea-dhcp4-server.service - * execute the lease file cleanup service: kea-lfc -d + * install kea-dhcp4-server + * execute the lease file cleanup service: + sudo -u _kea KEA_LOCKFILE_DIR=/run/lock/kea kea-lfc -d -4 -x /var/lib/kea/kea-leases4.csv.2 -i /var/lib/kea/kea-leases4.csv.1 -o /var/lib/kea/kea-leases4.csv.output -f /var/lib/kea/kea-leases4.csv.completed -p /var/lib/kea/kea-leases4.csv.pid -c ignored-path + * observe errors: + * dmesg: + [ 3515.694149] audit: type=1400 audit(1757081326.248:132): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2423 comm="kea-lfc" requested_mask="k" denied_mask="k" fsuid=109 ouid=109 + + * kea-lfc stdout: + 2025-09-05 16:08:46.247 ERROR [DhcpLFC/2423.135017416030656] Unable to lock logger lockfile + 2025-09-05 16:08:46.247 INFO [DhcpLFC/2423.135017416030656] LFC_START Starting lease file cleanup + + * when fixed, observe no dmesg output and kea-lfc log is clean: + 2025-09-05 16:09:17.756 INFO [DhcpLFC/2431.133913692117440] LFC_START Starting lease file cleanup [ Where problems could occur ] * Since this is a just new permission allowed, regression potential is low. * Otherwise, there could be issues due to the update rollout/service restart. [ Other Info ] * Fixed in debian through https://salsa.debian.org/debian/isc- kea/-/merge_requests/62 + + * in a fresh noble installation, running standalone kea-lfc accesses /var/run/kea/logger_lockfile = /run/kea/logger_lockfile (due to /var/run -> /run) and the rule exists and is fine there. + * but kea-dhcp4-server.service has env KEA_LOCKFILE_DIR=/run/lock/kea set, and this location doesn't have set the k-mask set for locking. [ Original report ] Hi, Seeing: | [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.037:12140): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 | [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.039:12141): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 | [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.084:12142): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 | [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.085:12143): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114 The AppArmor profile allows `file_lock` to `/run/kea/logger_lockfile` but not to `/run/lock/kea/logger_lockfile`. Changing it to this fixes it for me: ``` diff --git a/apparmor.d/usr.sbin.kea-lfc b/apparmor.d/usr.sbin.kea-lfc index ae165fa..11f6a92 100644 --- a/apparmor.d/usr.sbin.kea-lfc +++ b/apparmor.d/usr.sbin.kea-lfc @@ -11,7 +11,7 @@ profile kea-lfc /usr/sbin/kea-lfc { /usr/sbin/kea-lfc mr, owner /run/kea/logger_lockfile rwk, - owner /run/lock/kea/logger_lockfile rw, + owner /run/lock/kea/logger_lockfile rwk, # Control sockets # Before LP: #1863100, these were in /tmp. For compatibility, let's keep both ```
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2121327 Title: AppArmor missing file_lock for logger_lockfile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2121327/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
