Bug#1032495: kea-dhcp4-server: apparmor profile prohibit start

Wed, 08 Mar 2023 11:18:20 -0800 

Hi,

what's the actual apparmor DENIED message you get in the logs? Check
`dmesg`.

I see you are not using the systemd unit, so I suspect you are running kea
as root directly, instead of as the unprivileged `_kea` user, and you are
probably tripping over the "owner" flag of the apparmor rules.


On Wed, Mar 8, 2023 at 4:09 PM bene <b...@linutronix.de> wrote:

> > Please do follow up to this bug if you figure out something more about
> > this issue: if there's a bug in the apparmor profile we want to fix is
> > sooner than later.
>
> OK. Do it again:
>
> 1)  Purge kea-dhcp4-server from the system to ensure a clean install
> # apt-get purge kea-dhcp4-server
>
> 2) Ensure ther is no apparmor profile left:
> # ls -l /etc/apparmor.d/
> insgesamt 88
> drwxr-xr-x 2 root root   95 15. Feb 08:03 abi
> drwxr-xr-x 4 root root 4096 27. Feb 07:51 abstractions
> drwxr-xr-x 2 root root    6 18. Mär 2018  force-complain
> drwxr-xr-x 2 root root 4096 27. Feb 07:51 libvirt
> drwxr-xr-x 3 root root 4096  8. Mär 19:40 local
> -rw-r--r-- 1 root root 1379 14. Feb 12:49 lsb_release
> -rw-r--r-- 1 root root 1189  3. Sep 2021  nvidia_modprobe
> drwxr-xr-x 2 root root    6 26. Feb 2019  samba
> -rw-r--r-- 1 root root 3461  9. Jan 09:25 sbin.dhclient
> drwxr-xr-x 5 root root  266 15. Feb 08:03 tunables
> -rw-r--r-- 1 root root 3448  5. Jul 2020  usr.bin.man
> -rw-r--r-- 1 root root 2255 11. Nov 2020  usr.lib.ipsec.charon
> -rw-r--r-- 1 root root  872 11. Nov 2020  usr.lib.ipsec.stroke
> -rw-r--r-- 1 root root 1871 19. Aug 2021  usr.lib.libvirt.virt-aa-helper
> -rw-r--r-- 1 root root 2628  1. Feb 2022  usr.sbin.chronyd
> -rw-r--r-- 1 root root  761  5. Feb 00:25 usr.sbin.cups-browsed
> -rw-r--r-- 1 root root 6027  6. Sep 2021  usr.sbin.cupsd
> -rw-r--r-- 1 root root  621 25. Nov 2020  usr.sbin.haveged
> -rw-r--r-- 1 root root  744 17. Feb 19:20 usr.sbin.kea-dhcp-ddns
> -rw-r--r-- 1 root root  855 17. Feb 19:20 usr.sbin.kea-lfc
> -rw-r--r-- 1 root root 4732 28. Jan 17:03 usr.sbin.libvirtd
> -rw-r--r-- 1 root root  730 15. Okt 2020  usr.sbin.mariadbd
> -rw-r--r-- 1 root root 2654 26. Jan 21:13 usr.sbin.named
> -rw-r--r-- 1 root root 1196 11. Nov 2020  usr.sbin.swanctl
>
> # aa-status
> apparmor module is loaded.
> 25 profiles are loaded.
> 25 profiles are in enforce mode.
>    /usr/bin/man
>    /usr/lib/NetworkManager/nm-dhcp-client.action
>    /usr/lib/NetworkManager/nm-dhcp-helper
>    /usr/lib/connman/scripts/dhclient-script
>    /usr/lib/cups/backend/cups-pdf
>    /usr/lib/ipsec/charon
>    /usr/lib/ipsec/stroke
>    /usr/sbin/chronyd
>    /usr/sbin/cups-browsed
>    /usr/sbin/cupsd
>    /usr/sbin/cupsd//third_party
>    /usr/sbin/haveged
>    /usr/sbin/swanctl
>    /{,usr/}sbin/dhclient
>    kea-dhcp-ddns
>    kea-lfc
>    libvirtd
>    libvirtd//qemu_bridge_helper
>    lsb_release
>    man_filter
>    man_groff
>    named
>    nvidia_modprobe
>    nvidia_modprobe//kmod
>    virt-aa-helper
> 0 profiles are in complain mode.
> 0 profiles are in kill mode.
> 0 profiles are in unconfined mode.
> 7 processes have profiles defined.
> 2 processes are in enforce mode.
>    /usr/sbin/cupsd (6782)
>    /usr/lib/cups/notifier/dbus (6785) /usr/sbin/cupsd
> 0 processes are in complain mode.
> 5 processes are unconfined but have a profile defined.
>    /usr/lib/ipsec/charon (1820)
>    /usr/sbin/chronyd (2268)
>    /usr/sbin/chronyd (2317)
>    /usr/sbin/cups-browsed (2199)
>    /usr/sbin/haveged (1858)
> 0 processes are in mixed mode.
> 0 processes are in kill mode.
>
> 3) install kea-dhcp4-server
> # apt-get install kea-dhcp4-server
>
> 4) Start manually:
> # KEA_LOCKFILE_DIR=/run/lock/kea kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
> 2023-03-08 19:43:47.887 INFO  [kea-dhcp4.dhcp4/7774.139648314530240]
> DHCP4_STARTING Kea DHCPv4 server version 2.2.0 (stable) starting
> 2023-03-08 19:43:47.888 WARN  [kea-dhcp4.dhcp4/7774.139648314530240]
> DHCP4_CONFIG_SYNTAX_WARNING configuration syntax warning:
> /etc/kea/kea-dhcp4.conf:436.39: Extraneous comma. A piece of configuration
> may have been omitted.
> INFO  HOSTS_BACKENDS_REGISTERED the following host backend types are
> available: mysql postgresql
> INFO  DHCPSRV_CFGMGR_SOCKET_TYPE_DEFAULT "dhcp-socket-type" not specified
> , using default socket type raw
> INFO  DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to
> configuration: 192.0.2.0/24 with params: t1=900, t2=1800,
> valid-lifetime=3600
> INFO  COMMAND_ACCEPTOR_START Starting to accept connections via unix
> domain socket bound to /run/kea/kea4-ctrl-socket
> INFO  DHCP4_CONFIG_COMPLETE DHCPv4 server has completed configuration:
> added IPv4 subnets: 1; DDNS: disabled
> INFO  DHCPSRV_MEMFILE_DB opening memory file lease database:
> lfc-interval=3600 type=memfile universe=4
> INFO  DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file
> /var/lib/kea/kea-leases4.csv
> 2023-03-08 19:43:47.891 ERROR [kea-dhcp4.dhcp4/7774.139648314530240]
> DHCP4_CONFIG_LOAD_FAIL configuration error using file:
> /etc/kea/kea-dhcp4.conf, reason: Unable to open database: unable to open
> '/var/lib/kea/kea-leases4.csv'
> 2023-03-08 19:43:47.891 ERROR [kea-dhcp4.dhcp4/7774.139648314530240]
> DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using
> file '/etc/kea/kea-dhcp4.conf': Unable to open database: unable to open
> '/var/lib/kea/kea-leases4.csv'
>
> QED: Same apparmor error I could not fix...
>
> # ls /etc/apparmor.d/usr.sbin.kea-dhcp4*
> /etc/apparmor.d/usr.sbin.kea-dhcp4
>
> The content of /etc/apparmor.d/usr.sbin.kea-dhcp4:
> --- 8< ---
> abi <abi/3.0>,
>
> include <tunables/global>
>
> profile kea-dhcp4 /usr/sbin/kea-dhcp4 {
>   include <abstractions/base>
>
>   # for MySQL access, localhost
>   include <abstractions/mysql>
>   include <abstractions/openssl>
>
>   capability net_bind_service,
>   capability net_raw,
>
>   network inet dgram,
>   network inet stream,
>   network netlink raw,
>   network packet raw,
>
>   /etc/nsswitch.conf r,
>   /etc/services r,
>   /etc/hosts r,
>   /etc/host.conf r,
>   /etc/host.conf r,
>   /run/systemd/resolve/stub-resolv.conf r,
>
>   /etc/gss/mech.d/ r,
>   /etc/gss/mech.d/* r,
>
>   /etc/kea/ r,
>   /etc/kea/** r,
>   /usr/sbin/kea-dhcp4 mr,
>   /usr/sbin/kea-lfc Px,
>
>   owner /run/kea/kea-dhcp4.kea-dhcp4.pid w,
>   owner /run/lock/kea/logger_lockfile rwk,
>
>   # Control sockets
>   # Before LP: #1863100, these were in /tmp. For compatibility, let's keep
> both
>   # locations
>   owner /{tmp,run/kea}/kea4-ctrl-socket w,
>   owner /{tmp,run/kea}/kea4-ctrl-socket.lock rwk,
>
>   # this includes .completed, .output, .pid, .[0-9]
>   owner /var/lib/kea/kea-leases4.csv* rw,
>
>   owner /var/log/kea/kea-dhcp4.log rw,
>   owner /var/log/kea/kea-dhcp4.log.[0-9]* rw,
>   owner /var/log/kea/kea-dhcp4.log.lock rwk,
> --- 8< ---
>
> Regards
>     Benedikt Spranger
>
> PS: The sysv init scripts are broken. Patch follows when the apparmor
> issue is fixed.
>

Reply via email to