[Bug 400349] Re: dhclient-script fails with apparmor

[John Johansen]

I took a look at this and it is behaving correctly, though I haven't
established whether it is due to a deviation in AppArmor's behavior, the
scripts or both.  The executable /sbin/dhclient3 does a Px transition
(as specified in its profile) to /sbin/dhclient-script.

  /sbin/dhclient-script                           Pxr,

The transition can be seen by putting the /sbin/dhclient3 profile into audit mode
type=APPARMOR_AUDIT msg=audit(1247815097.686:61): operation="exec" pid=4152 comm="dhclient3" parent=4151 profile="/sbin/dhclient3" requested_mask="x::" fsuid=0 ouid=0 name="/sbin/dhclient-script"

The /sbin/dhclient-script then attempts to open the following 2 files without doing an exec to bash
type=APPARMOR_DENIED msg=audit(1247815097.690:62): operation="open" pid=4152 comm="dhclient-script" parent=4151 profile="/sbin/dhclient-script" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/ld.so.cache"
type=APPARMOR_DENIED msg=audit(1247816247.944:89): operation="open" pid=4400 comm="dhclient-script" parent=4399 profile="/sbin/dhclient-script" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/lib/libncurses.so.5.7"

putting the /sbin/dhclient-script into audit mode doesn't show up any
more accesses.  I through in some debugging to verify the reported
behavior matches what is going on internally and it does.

AppArmor's behavior for scripts, is that it will attach the profile to
the script if it is directly invoked.  In this case invoking /sbin
/dhclient-script will cause dhclient-script to be confined by AppArmor
even though it is a bash script.  If the script is indirectly invoked
through bash then, the bash profile (if it exists) would be used.

-- 
dhclient-script fails with apparmor
https://bugs.launchpad.net/bugs/400349
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dhcp3 in ubuntu.