[Bug 2083017] [NEW] network-manager changed path to nm-dhcp-helper, apparmor need update

Fri Sep 27 10:28:24 UTC 2024

Public bug reported:

>From the Debian Bug report logs - #1055067
isc-dhcp-client: network-manager 1.44.2-3 changed path to nm-dhcp-helper, apparmor need update

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055067

The problem causes the DHCP fail to receive the IP with this error in
the dmesg command:

[ 1037.911083] audit: type=1400 audit(1727430402.572:1355):
apparmor="DENIED" operation="exec" class="file"
profile="/{,usr/}sbin/dhclient" name="/usr/libexec/nm-dhcp-helper"
pid=6763 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0
ouid=0

The /etc/apparmor.d/sbin.dhclient file needs to be updated to include
the /usr/libexec/nm-dhcp-helper (instead of /usr/lib/NetworkManager/nm-
dhcp-helper). Just in case, to solve it, I duplicated the definitions
for the NetworkManager/nm-dhcp-helper.

FILE: /etc/apparmor.d/sbin.dhclient

....
  # Support the new executable helper from NetworkManager.
  /usr/lib/NetworkManager/nm-dhcp-helper          Pxrm,
  signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
  /usr/libexec/nm-dhcp-helper          Pxrm,
  signal (receive) peer=/usr/libexec/nm-dhcp-helper,
....
/usr/lib/NetworkManager/nm-dhcp-helper {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/lib/NetworkManager/nm-dhcp-helper mr,

  /run/NetworkManager/private-dhcp rw,
  signal (send) peer=/sbin/dhclient,

  /var/lib/NetworkManager/*lease r,
  signal (receive) peer=/usr/sbin/NetworkManager,
  ptrace (readby) peer=/usr/sbin/NetworkManager,
  network inet dgram,
  network inet6 dgram,
}

/usr/libexec/nm-dhcp-helper {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/libexec/nm-dhcp-helper mr,

  /run/NetworkManager/private-dhcp rw,
  signal (send) peer=/sbin/dhclient,

  /var/lib/NetworkManager/*lease r,
  signal (receive) peer=/usr/sbin/NetworkManager,
  ptrace (readby) peer=/usr/sbin/NetworkManager,
  network inet dgram,
  network inet6 dgram,
}
....

** Affects: isc-dhcp (Ubuntu)
     Importance: Undecided
         Status: New

** Tags: patch-forwarded-debian

** Summary changed:

- sc-dhcp-client: network-manager changed path to nm-dhcp-helper, apparmor need update
+ network-manager changed path to nm-dhcp-helper, apparmor need update

** Description changed:

- 
  From the Debian Bug report logs - #1055067
  isc-dhcp-client: network-manager 1.44.2-3 changed path to nm-dhcp-helper, apparmor need update

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055067

  The problem causes the DHCP fail to receive the IP with this error in
  the dmesg command:

  [ 1037.911083] audit: type=1400 audit(1727430402.572:1355):
  apparmor="DENIED" operation="exec" class="file"
  profile="/{,usr/}sbin/dhclient" name="/usr/libexec/nm-dhcp-helper"
  pid=6763 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0
  ouid=0

  The /etc/apparmor.d/sbin.dhclient file needs to be updated to include
  the /usr/libexec/nm-dhcp-helper (instead of /usr/lib/NetworkManager/nm-
  dhcp-helper). Just in case, to solve it, I duplicated the definitions
  for the NetworkManager/nm-dhcp-helper.

- 
  FILE: /etc/apparmor.d/sbin.dhclient

  ....
-   # Support the new executable helper from NetworkManager.
-   /usr/lib/NetworkManager/nm-dhcp-helper          Pxrm,
-   signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
-   /usr/libexec/nm-dhcp-helper          Pxrm,
-   signal (receive) peer=/usr/libexec/nm-dhcp-helper,
+   # Support the new executable helper from NetworkManager.
+   /usr/lib/NetworkManager/nm-dhcp-helper          Pxrm,
+   signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
+   /usr/libexec/nm-dhcp-helper          Pxrm,
+   signal (receive) peer=/usr/libexec/nm-dhcp-helper,
  ....
+ /usr/lib/NetworkManager/nm-dhcp-helper {
+   #include <abstractions/base>
+   #include <abstractions/dbus>
+   /usr/lib/NetworkManager/nm-dhcp-helper mr,
+ 
+   /run/NetworkManager/private-dhcp rw,
+   signal (send) peer=/sbin/dhclient,
+ 
+   /var/lib/NetworkManager/*lease r,
+   signal (receive) peer=/usr/sbin/NetworkManager,
+   ptrace (readby) peer=/usr/sbin/NetworkManager,
+   network inet dgram,
+   network inet6 dgram,
+ }
+ 
  /usr/libexec/nm-dhcp-helper {
    #include <abstractions/base>
    #include <abstractions/dbus>
    /usr/libexec/nm-dhcp-helper mr,

    /run/NetworkManager/private-dhcp rw,
    signal (send) peer=/sbin/dhclient,

    /var/lib/NetworkManager/*lease r,
    signal (receive) peer=/usr/sbin/NetworkManager,
    ptrace (readby) peer=/usr/sbin/NetworkManager,
    network inet dgram,
    network inet6 dgram,
  }
  ....

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/2083017

Title:
  network-manager changed path to nm-dhcp-helper, apparmor need update

Status in isc-dhcp package in Ubuntu:
  New

Bug description:
  From the Debian Bug report logs - #1055067
  isc-dhcp-client: network-manager 1.44.2-3 changed path to nm-dhcp-helper, apparmor need update

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055067

  The problem causes the DHCP fail to receive the IP with this error in
  the dmesg command:

  [ 1037.911083] audit: type=1400 audit(1727430402.572:1355):
  apparmor="DENIED" operation="exec" class="file"
  profile="/{,usr/}sbin/dhclient" name="/usr/libexec/nm-dhcp-helper"
  pid=6763 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0
  ouid=0

  The /etc/apparmor.d/sbin.dhclient file needs to be updated to include
  the /usr/libexec/nm-dhcp-helper (instead of
  /usr/lib/NetworkManager/nm-dhcp-helper). Just in case, to solve it, I
  duplicated the definitions for the NetworkManager/nm-dhcp-helper.

  FILE: /etc/apparmor.d/sbin.dhclient

  ....
    # Support the new executable helper from NetworkManager.
    /usr/lib/NetworkManager/nm-dhcp-helper          Pxrm,
    signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
    /usr/libexec/nm-dhcp-helper          Pxrm,
    signal (receive) peer=/usr/libexec/nm-dhcp-helper,
  ....
  /usr/lib/NetworkManager/nm-dhcp-helper {
    #include <abstractions/base>
    #include <abstractions/dbus>
    /usr/lib/NetworkManager/nm-dhcp-helper mr,

    /run/NetworkManager/private-dhcp rw,
    signal (send) peer=/sbin/dhclient,

    /var/lib/NetworkManager/*lease r,
    signal (receive) peer=/usr/sbin/NetworkManager,
    ptrace (readby) peer=/usr/sbin/NetworkManager,
    network inet dgram,
    network inet6 dgram,
  }

  /usr/libexec/nm-dhcp-helper {
    #include <abstractions/base>
    #include <abstractions/dbus>
    /usr/libexec/nm-dhcp-helper mr,

    /run/NetworkManager/private-dhcp rw,
    signal (send) peer=/sbin/dhclient,

    /var/lib/NetworkManager/*lease r,
    signal (receive) peer=/usr/sbin/NetworkManager,
    ptrace (readby) peer=/usr/sbin/NetworkManager,
    network inet dgram,
    network inet6 dgram,
  }
  ....

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/2083017/+subscriptions