Bug#1032495: kea-dhcp4-server: apparmor profile prohibit start

Wed, 08 Mar 2023 11:09:16 -0800 

> Please do follow up to this bug if you figure out something more about
> this issue: if there's a bug in the apparmor profile we want to fix is
> sooner than later.

OK. Do it again:

1)  Purge kea-dhcp4-server from the system to ensure a clean install
# apt-get purge kea-dhcp4-server

2) Ensure ther is no apparmor profile left:
# ls -l /etc/apparmor.d/
insgesamt 88
drwxr-xr-x 2 root root   95 15. Feb 08:03 abi
drwxr-xr-x 4 root root 4096 27. Feb 07:51 abstractions
drwxr-xr-x 2 root root    6 18. Mär 2018  force-complain
drwxr-xr-x 2 root root 4096 27. Feb 07:51 libvirt
drwxr-xr-x 3 root root 4096  8. Mär 19:40 local
-rw-r--r-- 1 root root 1379 14. Feb 12:49 lsb_release
-rw-r--r-- 1 root root 1189  3. Sep 2021  nvidia_modprobe
drwxr-xr-x 2 root root    6 26. Feb 2019  samba
-rw-r--r-- 1 root root 3461  9. Jan 09:25 sbin.dhclient
drwxr-xr-x 5 root root  266 15. Feb 08:03 tunables
-rw-r--r-- 1 root root 3448  5. Jul 2020  usr.bin.man
-rw-r--r-- 1 root root 2255 11. Nov 2020  usr.lib.ipsec.charon
-rw-r--r-- 1 root root  872 11. Nov 2020  usr.lib.ipsec.stroke
-rw-r--r-- 1 root root 1871 19. Aug 2021  usr.lib.libvirt.virt-aa-helper
-rw-r--r-- 1 root root 2628  1. Feb 2022  usr.sbin.chronyd
-rw-r--r-- 1 root root  761  5. Feb 00:25 usr.sbin.cups-browsed
-rw-r--r-- 1 root root 6027  6. Sep 2021  usr.sbin.cupsd
-rw-r--r-- 1 root root  621 25. Nov 2020  usr.sbin.haveged
-rw-r--r-- 1 root root  744 17. Feb 19:20 usr.sbin.kea-dhcp-ddns
-rw-r--r-- 1 root root  855 17. Feb 19:20 usr.sbin.kea-lfc
-rw-r--r-- 1 root root 4732 28. Jan 17:03 usr.sbin.libvirtd
-rw-r--r-- 1 root root  730 15. Okt 2020  usr.sbin.mariadbd
-rw-r--r-- 1 root root 2654 26. Jan 21:13 usr.sbin.named
-rw-r--r-- 1 root root 1196 11. Nov 2020  usr.sbin.swanctl

# aa-status
apparmor module is loaded.
25 profiles are loaded.
25 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/ipsec/charon
   /usr/lib/ipsec/stroke
   /usr/sbin/chronyd
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/haveged
   /usr/sbin/swanctl
   /{,usr/}sbin/dhclient
   kea-dhcp-ddns
   kea-lfc
   libvirtd
   libvirtd//qemu_bridge_helper
   lsb_release
   man_filter
   man_groff
   named
   nvidia_modprobe
   nvidia_modprobe//kmod
   virt-aa-helper
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
7 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/cupsd (6782)
   /usr/lib/cups/notifier/dbus (6785) /usr/sbin/cupsd
0 processes are in complain mode.
5 processes are unconfined but have a profile defined.
   /usr/lib/ipsec/charon (1820)
   /usr/sbin/chronyd (2268)
   /usr/sbin/chronyd (2317)
   /usr/sbin/cups-browsed (2199)
   /usr/sbin/haveged (1858)
0 processes are in mixed mode.
0 processes are in kill mode.

3) install kea-dhcp4-server
# apt-get install kea-dhcp4-server

4) Start manually:
# KEA_LOCKFILE_DIR=/run/lock/kea kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
2023-03-08 19:43:47.887 INFO  [kea-dhcp4.dhcp4/7774.139648314530240] 
DHCP4_STARTING Kea DHCPv4 server version 2.2.0 (stable) starting
2023-03-08 19:43:47.888 WARN  [kea-dhcp4.dhcp4/7774.139648314530240] 
DHCP4_CONFIG_SYNTAX_WARNING configuration syntax warning: 
/etc/kea/kea-dhcp4.conf:436.39: Extraneous comma. A piece of configuration may 
have been omitted.
INFO  HOSTS_BACKENDS_REGISTERED the following host backend types are available: 
mysql postgresql
INFO  DHCPSRV_CFGMGR_SOCKET_TYPE_DEFAULT "dhcp-socket-type" not specified , 
using default socket type raw
INFO  DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to configuration: 
192.0.2.0/24 with params: t1=900, t2=1800, valid-lifetime=3600
INFO  COMMAND_ACCEPTOR_START Starting to accept connections via unix domain 
socket bound to /run/kea/kea4-ctrl-socket
INFO  DHCP4_CONFIG_COMPLETE DHCPv4 server has completed configuration: added 
IPv4 subnets: 1; DDNS: disabled
INFO  DHCPSRV_MEMFILE_DB opening memory file lease database: lfc-interval=3600 
type=memfile universe=4
INFO  DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file 
/var/lib/kea/kea-leases4.csv
2023-03-08 19:43:47.891 ERROR [kea-dhcp4.dhcp4/7774.139648314530240] 
DHCP4_CONFIG_LOAD_FAIL configuration error using file: /etc/kea/kea-dhcp4.conf, 
reason: Unable to open database: unable to open '/var/lib/kea/kea-leases4.csv'
2023-03-08 19:43:47.891 ERROR [kea-dhcp4.dhcp4/7774.139648314530240] 
DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file 
'/etc/kea/kea-dhcp4.conf': Unable to open database: unable to open 
'/var/lib/kea/kea-leases4.csv'

QED: Same apparmor error I could not fix...

# ls /etc/apparmor.d/usr.sbin.kea-dhcp4*
/etc/apparmor.d/usr.sbin.kea-dhcp4

The content of /etc/apparmor.d/usr.sbin.kea-dhcp4:
--- 8< ---
abi <abi/3.0>,

include <tunables/global>

profile kea-dhcp4 /usr/sbin/kea-dhcp4 {
  include <abstractions/base>

  # for MySQL access, localhost
  include <abstractions/mysql>
  include <abstractions/openssl>

  capability net_bind_service,
  capability net_raw,

  network inet dgram,
  network inet stream,
  network netlink raw,
  network packet raw,

  /etc/nsswitch.conf r,
  /etc/services r,
  /etc/hosts r,
  /etc/host.conf r,
  /etc/host.conf r,
  /run/systemd/resolve/stub-resolv.conf r,

  /etc/gss/mech.d/ r,
  /etc/gss/mech.d/* r,

  /etc/kea/ r,
  /etc/kea/** r,
  /usr/sbin/kea-dhcp4 mr,
  /usr/sbin/kea-lfc Px,

  owner /run/kea/kea-dhcp4.kea-dhcp4.pid w,
  owner /run/lock/kea/logger_lockfile rwk,

  # Control sockets
  # Before LP: #1863100, these were in /tmp. For compatibility, let's keep both
  # locations
  owner /{tmp,run/kea}/kea4-ctrl-socket w,
  owner /{tmp,run/kea}/kea4-ctrl-socket.lock rwk,

  # this includes .completed, .output, .pid, .[0-9]
  owner /var/lib/kea/kea-leases4.csv* rw,

  owner /var/log/kea/kea-dhcp4.log rw,
  owner /var/log/kea/kea-dhcp4.log.[0-9]* rw,
  owner /var/log/kea/kea-dhcp4.log.lock rwk,
--- 8< ---

Regards
    Benedikt Spranger

PS: The sysv init scripts are broken. Patch follows when the apparmor issue is 
fixed.

Reply via email to