[Bug 2011628] Re: Apparmor Disallows Disabling Dhclient Scripts

[Tired Sysadmin]

> Cloud-init users on these releases that wish to see no apparmour warnings might locally include this rule themselves via:
>
> echo " /bin/true Uxr," > /etc/apparmor.d/local/sbin.dhclient

Note for other users finding their way here via googling for error
messages:  On jammy (22.04) at least, you will need to account for /bin
being a symlink to /usr/bin, and thus the line becomes (following the
standard brace syntax and also the ordering conventions in the default
apparmor profiles):

echo ' /{,usr/}bin/true Uxr,' > /etc/apparmor.d/local/sbin.dhclient

This will silence the execve warnings in 22.04.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/2011628

Title:
  Apparmor Disallows Disabling Dhclient Scripts

Status in isc-dhcp package in Ubuntu:
  Fix Released
Status in isc-dhcp source package in Focal:
  New
Status in isc-dhcp source package in Jammy:
  New
Status in isc-dhcp source package in Lunar:
  New
Status in isc-dhcp package in Debian:
  New

Bug description:
  In some cases, it may be desirable to disable dhclient scripts. By
  default /sbin/dhclient-script is used, and some others are allowed by
  the apparmor profile.

  Without Apparmor, disabling hook scripts can be accomplished with
  flags -sf /bin/true, but with apparmor enabled this gets blocked:

  execve (/bin/true, ...): Permission denied

  Unfortunately dhclient doesn't appear to provide any other mechanism
  for disabling hook scripts.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/2011628/+subscriptions