touch-packages team mailing list archive

Thread
Date

[Bug 1438249] Re: /sbin/dhclient is unconfined after switch to systemd (aka, equivalent of upstart's network-interface-security.conf not implemented)

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Mon, 30 Mar 2015 16:23:49 -0000
Reply-to: Bug 1438249 <1438249@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As far as historical context for network-interface-security.conf, it is
all about loading the profiles that the symlinks in /etc/apparmor/init
/network-interface-security/* point to in time. Looking at a 14.10
system, I see that there are two things there: sbin.dhclient and
usr.sbin.ntpd. This suggests to me that Martin's approach of changing
the dependencies is best. That said, I'm not yet incredibly familiar
with systemd boot ordering-- it sounds like you are saying that
ifup@.service will always run before networking comes up or
NetworkManager. Therefore if we change ifup@.service to use
After=apparmor.service, then this sounds sufficient. In terms of user
experience when the cache is invalidated, it only shifts the policy
recompilation earlier (ie, the boot speed to login remains the same).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ifupdown in Ubuntu.
https://bugs.launchpad.net/bugs/1438249

Title:
  /sbin/dhclient is unconfined after switch to systemd (aka, equivalent
  of upstart's network-interface-security.conf not implemented)

Status in ifupdown package in Ubuntu:
  Triaged
Status in systemd package in Ubuntu:
  Triaged

Bug description:
  dhclient is starting before the apparmor profile for it is loaded
  which results in the following output from aa-status:

  $ sudo aa-status
  ...
  4 profiles are in enforce mode.
     /sbin/dhclient
  ...
  1 processes are unconfined but have a profile defined.
     /sbin/dhclient (634)

  Upstart had the network-interface-security.conf job to make sure this
  didn't happen. We wanted the cache loading library to be implemented
  in time (bug #1385414), but it still hasn't landed. Having the cache
  loading library in place would mean that this bug would also be fixed,
  but now we need to fix this bug differently for 15.04 and it must be
  fixed by release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1438249/+subscriptions

References

[Bug 1438249] [NEW] /sbin/dhclient is unconfined after switch to systemd (aka, equivalent of upstart's network-interface-security.conf not implemented)
From: Jamie Strandboge, 2015-03-30