[Bug 1654624] Re: dhcp apparmor profile complains about lxd client

Stéphane Graber stgraber at stgraber.org
Sat Jan 28 04:03:14 UTC 2017 

Removing the LXD task, this is yet another apparmor bug from the
apparmor stacking/namespacing change which was backported to Xenial.

Basically, dhclient is now being confined by apparmor inside the
container, unfortunately, apparmor doesn't behave in the exact same way
when it's interpreting a profile as part of a stack vs as the single
profile in the stack (on the host).

We've seen a number of file_perm and related issue show up, typically
related to permissions to access the failing binary itself. Though in
this case, the path does seem a bit weirder?

Anyway, not a LXD bug but an apparmor one. I'm sure John will have an
idea of what's going on here :)

** No longer affects: lxd (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1654624

Title:
  dhcp apparmor profile complains about lxd client

Status in apparmor package in Ubuntu:
  New
Status in isc-dhcp package in Ubuntu:
  Incomplete

Bug description:
  Hi,

  strange problem recently occured:

  I'm having some ubuntu machines running in LXD (nothing unusual, just
  based on the regular ubuntu LXD images) on a ubuntu host. Worked well
  for some time.

  But now the host generates messages like


  Jan  6 19:17:05 monstrum kernel: [ 1063.263531] audit: type=1400
  audit(1483726625.388:247): apparmor="DENIED" operation="file_perm"
  namespace="root//lxd-rackadmin_<var-lib-lxd>" profile="/sbin/dhclient"
  name="/apparmor/.null" pid=5125 comm="dhclient" requested_mask="w"
  denied_mask="w" fsuid=165536 ouid=0

  
  in /var/log/kern.log. 

  For some reason the apparmor running on the host interferes with the
  containers.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: isc-dhcp-client 4.3.3-5ubuntu12.6
  ProcVersionSignature: Ubuntu 4.4.0-57.78-generic 4.4.35
  Uname: Linux 4.4.0-57-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.4
  Architecture: amd64
  CurrentDesktop: LXDE
  Date: Fri Jan  6 19:19:12 2017
  SourcePackage: isc-dhcp
  UpgradeStatus: Upgraded to xenial on 2016-04-06 (275 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1654624/+subscriptions

More information about the foundations-bugs mailing list