Bug#1055067: isc-dhcp-client: network-manager 1.44.2-3 changed path to nm-dhcp-helper, apparmor need update

Mon, 30 Oct 2023 10:39:17 -0700 

Package: isc-dhcp-client
Version: 4.4.3-P1-4
Severity: normal

Dear Maintainer,

I am using network manager with /etc/NetworkManager/NetworkManager.conf

        [main]
        dhcp=dhclient

and thus using isc-dhcp-client as my DHCP client.

With the update of network-manager 1.44.2-3 the nm-dhcp-helper moved
from /usr/lib/NetworkManager/ to /usr/libexec/.

Without a fix to /etc/apparmor.d/sbin.dhclient the system now fails to
activate interfaces using DHCP, logging

audit: type=1400 audit(1698680734.539:50): apparmor="DENIED" operation="exec" 
class="file" profile="/{,usr/}sbin/dhclient" name="/usr/libexec/nm-dhcp-helper" 
pid=7523 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

The following diff fixes it for me - just duplicating the existing
rules to the new path:

diff --git a/etc/apparmor.d/sbin.dhclient b/etc/apparmor.d/sbin.dhclient
index 1acc6b92..b219d688 100644
--- a/etc/apparmor.d/sbin.dhclient
+++ b/etc/apparmor.d/sbin.dhclient
@@ -69,6 +69,8 @@
   # Support the new executable helper from NetworkManager.
   /usr/lib/NetworkManager/nm-dhcp-helper          Pxrm,
   signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
+  /usr/libexec/nm-dhcp-helper                     Pxrm,
+  signal (receive) peer=/usr/libexec/nm-dhcp-helper,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/sbin.dhclient>
@@ -101,6 +103,21 @@
   network inet6 dgram,
 }
 
+/usr/libexec/nm-dhcp-helper {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+  /usr/libexec/nm-dhcp-helper mr,
+
+  /run/NetworkManager/private-dhcp rw,
+  signal (send) peer=/sbin/dhclient,
+
+  /var/lib/NetworkManager/*lease r,
+  signal (receive) peer=/usr/sbin/NetworkManager,
+  ptrace (readby) peer=/usr/sbin/NetworkManager,
+  network inet dgram,
+  network inet6 dgram,
+}
+
 /usr/lib/connman/scripts/dhclient-script {
   #include <abstractions/base>
   #include <abstractions/dbus>


Greetings,
Sven


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages isc-dhcp-client depends on:
ii  debianutils  5.14
ii  iproute2     6.5.0-5
ii  libc6        2.37-12

Versions of packages isc-dhcp-client recommends:
ii  isc-dhcp-common  4.4.3-P1-4

Versions of packages isc-dhcp-client suggests:
pn  avahi-autoipd         <none>
pn  isc-dhcp-client-ddns  <none>
ii  resolvconf            1.91+nmu1

-- Configuration Files:
/etc/apparmor.d/sbin.dhclient changed [not included]
/etc/dhcp/dhclient.conf changed [not included]

-- no debconf information

Reply via email to