touch-packages team mailing list archive

Thread
Date
[Bug 1417658] Re: apparmor denied operation file_inherit from networkmanager when using HWE kernel

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Rob Traders <1417658@xxxxxxxxxxxxxxxxxx>
Date: Sun, 19 Apr 2015 16:12:50 -0000
Reply-to: Bug 1417658 <1417658@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug is imho not fixed for my Ubuntu 14.04.2 LTS Server with this
current "fixed" version of isc-dhcp-server 4.2.4-7ubuntu12.1.

I assume the lease file can't be rotated because its owned by root.

# ls -la /var/lib/dhcp
total 24
5374571 drwxr-xr-x  2 root  root  4096 Apr 19 14:54 .
5374092 drwxr-xr-x 92 root  root  4096 Apr  4 17:31 ..
5374293 -rw-r--r--  1 root  root  6319 Apr 19 14:54 dhcpd.leases
5379328 -rw-r--r--  1 root  root  6319 Apr 19 14:53 dhcpd.leases~


It occours also after a restart of isc-dhcp-server. 
The only quick solution for me was to add a "chown .." in the /etc/init.d/isc-dhcp-server startscript (at the end of the start/stop/restart sections,  i.e. to prevent overwrites during  process starts

	restart | force-reload)
		test_config
		$0 stop
		sleep 2
		$0 start
		if [ "$?" != "0" ]; then
			exit 1
		fi
		chown dhcpd /var/lib/dhcp/*
		;;


additional I changed "chown root:root" to "chown dhcpd:dhcpd" in the file: /etc/init/isc-dhcp-server.conf

    # Allow dhcp server to write lease and pid file as 'dhcpd' user
    mkdir -p /var/run/dhcp-server
    chown dhcpd:dhcpd /var/run/dhcp-server

    # The leases files need to be root:root even when dropping privileges
    [ -e /var/lib/dhcp/dhcpd.leases ] || touch /var/lib/dhcp/dhcpd.leases
	#chown root:root /var/lib/dhcp /var/lib/dhcp/dhcpd.leases
    	chown dhcpd:dhcpd /var/lib/dhcp /var/lib/dhcp/dhcpd.leases
    if [ -e /var/lib/dhcp/dhcpd.leases~ ]; then
        #chown root:root /var/lib/dhcp/dhcpd.leases~
        chown dhcpd:dhcpd /var/lib/dhcp/dhcpd.leases~
    fi


The properties of the affected Ubuntu system (dhclient is disabled)

# dpkg -l |grep isc-dhcp-server
ii  isc-dhcp-server  4.2.4-7ubuntu12.1  amd64  ISC DHCP server for automatic IP address assignment

# uname -a
Linux gandalf 3.13.0-49-generic #83-Ubuntu SMP Fri Apr 10 20:11:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/issue
Ubuntu 14.04.2 LTS \n \l

Apparmor config looks like

# grep leases /etc/apparmor.d/usr.sbin.dhcpd 
  /var/lib/dhcp/dhcpd{,6}.leases* lrw,
  /etc/dhcpd{,6}.leases* lrw,
  /{,var/}run/eucalyptus/net/*.leases* lrw,


# tail -f syslog
Apr 19 16:51:06 gandalf dhcpd: Wrote 24 leases to leases file.
Apr 19 16:51:06 gandalf dhcpd: Can't backup lease database /var/lib/dhcp/dhcpd.leases to /var/lib/dhcp/dhcpd.leases~: Operation not permitted
Apr 19 16:51:06 gandalf dhcpd: Added reverse map from 10.2.10.10.in-addr.arpa. to lab-01.lab.foo.bar.
Apr 19 16:51:06 gandalf kernel: [14157.954888] audit_printk_skb: 57 callbacks suppressed
Apr 19 16:51:06 gandalf kernel: [14157.954892] type=1702 audit(1429455066.150:174): op=linkat ppid=1 pid=2240 auid=4294967295 uid=121 gid=130 euid=121 suid=121 fsuid=121 egid=130 sgid=130 fsgid=130 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" res=0
Apr 19 16:51:06 gandalf kernel: [14157.954899] type=1302 audit(1429455066.150:175): item=0 name="/var/lib/dhcp/dhcpd.leases" inode=5375035 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

# tail -f /var/log/kern.log
Apr 19 16:51:06 gandalf kernel: [14157.954892] type=1702 audit(1429455066.150:174): op=linkat ppid=1 pid=2240 auid=4294967295 uid=121 gid=130 euid=121 suid=121 fsuid=121 egid=130 sgid=130 fsgid=130 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" res=0
Apr 19 16:51:06 gandalf kernel: [14157.954899] type=1302 audit(1429455066.150:175): item=0 name="/var/lib/dhcp/dhcpd.leases" inode=5375035 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1417658

Title:
  apparmor denied operation file_inherit from networkmanager when using
  HWE kernel

Status in isc-dhcp package in Ubuntu:
  Fix Released
Status in isc-dhcp source package in Trusty:
  Fix Released
Status in isc-dhcp source package in Vivid:
  Fix Released

Bug description:
  [Impact]
  AppArmor denials appear in dhclient when using using HWE kernel on 14.04. This can result in incorrect dhcp operation on client systems. The fix is to add these rules:
    network inet dgram,
    network inet6 dgram,

  to the dhclient profile for nm-dhcp-client.action and dhclient-script,
  like we did in 4.2.4-7ubuntu14.

  [Test Case]
  Install HWE kernel and use network manager to obtain an IP address.

  [Regression Potential]
  Extremely low since the update only adds access that dhclient didn't have.

  Original description:

  Hallo,

  on Kubuntu 14.04.x dmesg shows me the following apparmor messages;

  Is this normal or is this a security issue together with network-
  manager?

  [   16.171766] audit: type=1400 audit(1422595680.679:68): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2229 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
  [   16.171772] audit: type=1400 audit(1422595680.679:69): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2229 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17
  [   16.199936] audit: type=1400 audit(1422595680.707:70): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2246 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
  [   16.199943] audit: type=1400 audit(1422595680.707:71): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2246 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17
  [   16.201369] audit: type=1400 audit(1422595680.707:72): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2248 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
  [   16.201379] audit: type=1400 audit(1422595680.707:73): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2248 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17
  [   17.206342] audit: type=1400 audit(1422595681.711:74): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2468 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
  [   17.206349] audit: type=1400 audit(1422595681.711:75): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2468 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17

  When I logon to KDE, KDE hangs sometimes  for 3sec at the login-
  process , when there is no internet connection (DSL modem did not
  dial-in yet).

  Thanks for your help!
  Best regards, Bernhard

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1417658/+subscriptions
References

[Bug 1417658] [NEW] apparmor denied operation file_inherit from networkmanager
From: Bernhard, 2015-02-03