Bug#1052764: kea-ctrl-agent: apparmor profile prohibits binding to ipv6

Tue, 26 Sep 2023 06:21:16 -0700 

Package: kea-ctrl-agent
Version: 2.2.0-6
Severity: normal
X-Debbugs-Cc: debianb...@meschenbacher.pt.ernw.de

Dear Maintainer,

we've noticed that the apparmor profile prohibits binding to ipv6. The
agent won't then start at all and log a few lines in quick succession

ERROR [kea-ctrl-agent.dctl/433486.140500168120192] DCTL_PARSER_FAIL : unable to 
setup TCP acceptor for listening to the incoming HTTP requests: open: 
Permission denied

I then manually allowed 'network inet6' (see attached
/etc/apparmor.d/usr.sbin.kea-ctrl-agent) which fixes the problem for us.

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-11-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages kea-ctrl-agent depends on:
ii  init-system-helpers    1.65.2
ii  kea-common             2.2.0-6
ii  libc6                  2.36-9+deb12u1
ii  libgcc-s1              12.2.0-14
ii  libssl3                3.0.9-1
ii  libstdc++6             12.2.0-14
ii  python3                3.11.2-1+b1
ii  python3-kea-connector  2.2.0-6

kea-ctrl-agent recommends no packages.

Versions of packages kea-ctrl-agent suggests:
pn  kea-doc  <none>

-- Configuration Files:
/etc/apparmor.d/usr.sbin.kea-ctrl-agent changed:
abi <abi/3.0>,
include <tunables/global>
profile kea-ctrl-agent /usr/sbin/kea-ctrl-agent {
  include <abstractions/base>
  network inet stream,
  network inet6 stream,
  /etc/kea/ r,
  /etc/kea/** r,
  /usr/sbin/kea-ctrl-agent mr,
  owner /run/kea/kea-ctrl-agent.kea-ctrl-agent.pid w,
  owner /run/lock/kea/logger_lockfile rwk,
  # Control sockets
  # Before LP: #1863100, these were in /tmp. For compatibility, let's keep both
  # locations
  owner /{tmp,run/kea}/kea-ddns-ctrl-socket rw,
  owner /{tmp,run/kea}/kea4-ctrl-socket rw,
  owner /{tmp,run/kea}/kea6-ctrl-socket rw,
  owner /var/log/kea/kea-ctrl-agent.log rw,
  owner /var/log/kea/kea-ctrl-agent.log.[0-9]* rw,
  owner /var/log/kea/kea-ctrl-agent.log.lock rwk,
}

-- no debconf information

Reply via email to