[Bug 974054] Re: dhcpd attempts to use /var/run/dhcpd.pid, AppArmor errors

Adam Stokes adam.stokes at canonical.com
Tue May 15 19:31:08 UTC 2012 

Attached debdiff for review and inclusion into Oneiric.

** Description changed:

+ SRU:
+ 
+ [Impact]
+ Anyone attempting to use isc-dhcp will fail to start if apparmor is enabled.
+ 
+ [Development Fix]
+ Addition to AppArmor rules for dhcp:
+  - allow writes to the compiled in default pid file
+  - allow reads to /var/lib/wicd/*
+ 
+ [Stable Fix]
+ Precise revision: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/isc-dhcp/precise/revision/45
+ Also attached debdiff for review and inclusion into Oneiric.
+ 
+ [Test Case]
+ Install isc-dhcp on Oneiric and attempt to run service through normal initialization routines.
+ 
+ [Regression Potential]
+ Regression is minimal since this only increases the scope of what is writeable and readable by dhcp service.
+ 
+ Bug Description:
  When starting isc-dhcp-server, the following appears in syslog:
  
  Apr  5 01:20:06 nibbler dhcpd: Can't create PID file /var/run/dhcpd.pid: Permission denied.
  Apr  5 01:20:06 nibbler kernel: [293336.249992] type=1400 audit(1333614006.094:47): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/dhcpd" name="/run/dhcpd.pid" pid=12427 comm="dhcpd" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
  
  Even when adding to dhcpd.conf:
  
  pid-file-name "/var/run/dhcp-server/dhcpd.pid";
  
  it produces:
  
  Apr  5 01:33:39 nibbler kernel: [294149.878702] type=1400
  audit(1333614819.902:48): apparmor="DENIED" operation="open" parent=1
  profile="/usr/sbin/dhcpd" name="/run/dhcp-server/dhcpd.pid" pid=13392
  comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=107 ouid=107
  
  due to not having read access in the AppArmor profile:
  
-   /{,var/}run/dhcp-server/dhcpd{,6}.pid w,
+   /{,var/}run/dhcp-server/dhcpd{,6}.pid w,
  
  If this is truly where the pid should be, the compiled-in default should
  be changed, as well as the AppArmor profile tweaked for read access.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: isc-dhcp-server 4.1.ESV-R4-0ubuntu3
  ProcVersionSignature: Ubuntu 3.2.0-21.34-generic 3.2.13
  Uname: Linux 3.2.0-21-generic x86_64
  ApportVersion: 2.0-0ubuntu4
  Architecture: amd64
  Date: Thu Apr  5 01:22:25 2012
  InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Beta amd64 (20120229)
  ProcEnviron:
-  TERM=screen
-  LANG=en_US.UTF-8
-  SHELL=/bin/bash
+  TERM=screen
+  LANG=en_US.UTF-8
+  SHELL=/bin/bash
  SourcePackage: isc-dhcp
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.dhcp.dhcpd.conf: [modified]
  mtime.conffile..etc.dhcp.dhcpd.conf: 2012-04-05T01:19:58.906748

** Patch added: "isc-dhcp_4.1.1-P1-17ubuntu10.2.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/974054/+attachment/3148145/+files/isc-dhcp_4.1.1-P1-17ubuntu10.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/974054

Title:
  dhcpd attempts to use /var/run/dhcpd.pid, AppArmor errors

Status in “isc-dhcp” package in Ubuntu:
  Fix Released
Status in “isc-dhcp” source package in Oneiric:
  New

Bug description:
  SRU:

  [Impact]
  Anyone attempting to use isc-dhcp will fail to start if apparmor is enabled.

  [Development Fix]
  Addition to AppArmor rules for dhcp:
   - allow writes to the compiled in default pid file
   - allow reads to /var/lib/wicd/*

  [Stable Fix]
  Precise revision: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/isc-dhcp/precise/revision/45
  Also attached debdiff for review and inclusion into Oneiric.

  [Test Case]
  Install isc-dhcp on Oneiric and attempt to run service through normal initialization routines.

  [Regression Potential]
  Regression is minimal since this only increases the scope of what is writeable and readable by dhcp service.

  Bug Description:
  When starting isc-dhcp-server, the following appears in syslog:

  Apr  5 01:20:06 nibbler dhcpd: Can't create PID file /var/run/dhcpd.pid: Permission denied.
  Apr  5 01:20:06 nibbler kernel: [293336.249992] type=1400 audit(1333614006.094:47): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/dhcpd" name="/run/dhcpd.pid" pid=12427 comm="dhcpd" requested_mask="c" denied_mask="c" fsuid=107 ouid=107

  Even when adding to dhcpd.conf:

  pid-file-name "/var/run/dhcp-server/dhcpd.pid";

  it produces:

  Apr  5 01:33:39 nibbler kernel: [294149.878702] type=1400
  audit(1333614819.902:48): apparmor="DENIED" operation="open" parent=1
  profile="/usr/sbin/dhcpd" name="/run/dhcp-server/dhcpd.pid" pid=13392
  comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=107 ouid=107

  due to not having read access in the AppArmor profile:

    /{,var/}run/dhcp-server/dhcpd{,6}.pid w,

  If this is truly where the pid should be, the compiled-in default
  should be changed, as well as the AppArmor profile tweaked for read
  access.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: isc-dhcp-server 4.1.ESV-R4-0ubuntu3
  ProcVersionSignature: Ubuntu 3.2.0-21.34-generic 3.2.13
  Uname: Linux 3.2.0-21-generic x86_64
  ApportVersion: 2.0-0ubuntu4
  Architecture: amd64
  Date: Thu Apr  5 01:22:25 2012
  InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Beta amd64 (20120229)
  ProcEnviron:
   TERM=screen
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: isc-dhcp
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.dhcp.dhcpd.conf: [modified]
  mtime.conffile..etc.dhcp.dhcpd.conf: 2012-04-05T01:19:58.906748

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/974054/+subscriptions

More information about the foundations-bugs mailing list