unsafe hardlink restrictions deny lease backup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
isc-dhcp (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Occasionally, I see this in my logs:
Feb 4 02:27:07 giskard2 dhcpd[11485]: Can't backup lease database /var/lib/
Feb 4 02:27:07 giskard2 kernel: [237980.192671] audit: type=1702 audit(151771122
sgid=121 fsgid=121 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/
Feb 4 02:27:07 giskard2 kernel: [237980.192686] audit: type=1302 audit(151771122
rdev=00:00 nametype=NORMAL cap_fp=
Essentially indicating that the apparmor profile has declined to allow a backup leases file to be created. However, the files does appear to be created. I am unsure why the message is being logged (is the file being created correctly? -- I do not know enough of dhcpd to tell).
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
# dpkg -l | grep dhcp
ii isc-dhcp-client 4.3.3-5ubuntu12.7 amd64 DHCP client for automatically obtaining an IP address
ii isc-dhcp-common 4.3.3-5ubuntu12.7 amd64 common files used by all of the isc-dhcp packages
ii isc-dhcp-server 4.3.3-5ubuntu12.7 amd64 ISC DHCP server for automatic IP address assignment
ii wide-dhcpv6-client 20080615-16 amd64 DHCPv6 client for automatic IPv6 hosts configuration
# dpkg -l | grep apparmor
ii apparmor 2.10.95-0ubuntu2.7 amd64 user-space parser utility for AppArmor
ii apparmor-utils 2.10.95-0ubuntu2.7 amd64 utilities for controlling AppArmor
ii libapparmor-perl 2.10.95-0ubuntu2.7 amd64 AppArmor library Perl bindings
ii libapparmor1:amd64 2.10.95-0ubuntu2.7 amd64 changehat AppArmor library
ii python3-apparmor 2.10.95-0ubuntu2.7 amd64 AppArmor Python3 utility library
ii python3-libapparmor 2.10.95-0ubuntu2.7 amd64 AppArmor library Python3 bindings
# ls -la /var/lib/dhcp
total 16
drwxrwsr-x 2 root dhcpd 4096 Feb 5 01:57 .
drwxr-xr-x 52 root root 4096 Oct 3 2016 ..
-rw-r--r-- 1 root dhcpd 1003 Feb 5 02:27 dhcpd.leases
-rw-r--r-- 1 root dhcpd 1631 Feb 5 01:57 dhcpd.leases~
# find /etc/apparmor
/etc/apparmor
/etc/apparmor/init
/etc/apparmor/
/etc/apparmor/
/etc/apparmor/
/etc/apparmor/
/etc/apparmor/
/etc/apparmor/
/etc/apparmor/
# find /etc/apparmor.d/
/etc/apparmor.d/
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
# find /etc/apparmor.d/ | grep dhcp | xargs md5sum
accd0d7b6bf25c5
d22e7d0dd047de4
md5sum: /etc/apparmor.
3f688104e7f181e
# ls -l /etc/apparmor.
total 0
# cat /etc/apparmor.
# Site-specific additions and overrides for usr.sbin.dhcpd.
# For more details, please see /etc/apparmor.
# diff -u /etc/apparmor.
Binary files /etc/apparmor.
# cat /etc/apparmor.
# vim:syntax=apparmor
# Last Modified: Mon Jan 25 11:06:45 2016
# Author: Jamie Strandboge <email address hidden>
#include <tunables/global>
/usr/sbin/dhcpd flags=(complain) {
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
capability chown,
capability net_bind_service,
capability net_raw,
capability setgid,
capability setuid,
network inet raw,
network packet packet,
network packet raw,
@{PROC}
@{PROC}
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/dhcp/ r,
/etc/dhcp/** r,
/etc/
/etc/
/usr/sbin/dhcpd mr,
/var/
/var/log/ r,
/var/log/** rw,
/{,var/
# isc-dhcp-
/etc/
# LTSP. See:
# http://
# https:/
/etc/ltsp/ r,
/etc/ltsp/** r,
/etc/
/etc/
/ltsp/ r,
/ltsp/** r,
# Eucalyptus
/{,var/
/{,var/
/{,var/
/{,var/
/{,var/
# wicd
/var/lib/wicd/* r,
# access to bind9 keys for dynamic update
# It's expected that users will generate one key per zone and have it
# stored in both /etc/bind9 (for bind to access) and /etc/dhcp/ddns-keys
# (for dhcpd to access).
/etc/
# allow packages to re-use dhcpd and provide their own specific directories
#include <dhcpd.d>
# Site-specific additions and overrides. See local/README for details.
#include <local/
}
summary: |
- apparmor rules deny lease backup + unsafe hardlink restrictions deny lease backup |
This problem looks very similiar to https:/ /bugs.launchpad .net/ubuntu/ +source/ isc-dhcp/ +bug/1543794