It looks like your apparmor pattern is slightly wrong.
In the following, the asterisk (*) does not allow for the slash (/)
character:
debian/apparmor/sbin.dhclient: /{,var/}run/dhclient*.pid lrw,
debian/apparmor/sbin.dhclient: /{,var/}run/dhclient*.lease* lrw,
(See docs about globbing here:
https://manpages.debian.org/wheezy/apparmor/apparmor.d.5.en.html#Globbing
and see that just one asterisk clearly says: "* → can substitute for any
number of characters, excepting '/'".)
It should be two asterisks (**) instead:
debian/apparmor/sbin.dhclient: /{,var/}run/dhclient**.pid lrw,
debian/apparmor/sbin.dhclient: /{,var/}run/dhclient**.lease* lrw,
(Same doc as above: "** → can substitute for any number of characters,
including '/'")
Then I think that the PID files will be created as expected. Somehow,
the IPv4 one is created for me. Not too sure why. However, the IPv6
fails with:
> 2025-04-20T09:09:05.152724-07:00 monster kernel: audit: type=1400
> audit(1745165345.150:762):
> apparmor="DENIED" operation="mknod" class="file" profile="/usr/sbin/dhcpd"
> name="/run/dhcp-server6/dhcpd6.pid" pid=218742 comm="dhcpd" requested_mask="c"
> denied_mask="c" fsuid=0 ouid=0
which means that apparmore prevented the creation (mknod) of the file
(class="file"). It is not a user issue, since fsuid and ouid are set to
0 (root).
Now, looking at the actual file, I found this line:
/{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw,
which doesn't match what I've seen in the Ubuntu source for 24.04...
Either way, that one misses the IPv6 folder. It should be:
/{,var/}run/{,dhcp-server/,dhcp-server6/}dhcpd{,6}.pid rw,
to work properly with IPv6 which explains why the IPv4 worked but not
the IPv6.
Ah. I see that new definition in this file:
debian/apparmor/usr.sbin.dhcpd
Okay. So you can ignore the '*' vs '**' comment above. Just add the
",dhcp-server6" to that file and we should be good on that end.
---
As a side note:
Since you do not specify a Type=... in your .service files, it defaults to
"simple".
https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#Type=
As such, the PID file is not necessary and is actually considered
obsolete.
> Note that PID files should be avoided in modern projects
https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#PIDFile=
But I would imagine that you need to support many distros, many that are
still not using systemctl. In that case, it makes sense to continue to
support that thing even though on Debian/Ubuntu it could just be
completely removed.
---
Another note, which I think is of importance, is the fact that the
filename is supposedly editable in the default file. But then you do not
use that folder. Because of apparmor, it is likely to fail "badly" if
the user attempts to save the PID file somewhere else. But for that, I
would warn the user and explain that they either have to turn off
apparmor, edit the isc-dhcp apparmor file, or make sure the destination
is allowed (like /var/lib/dhcp/... which is already allowed).
So I would suggest to use the variable in:
exec dhcpd ... -4 -pf $DHCPDv4_PID ...
exec dhcpd ... -6 -pf $DHCPDv6_PID ...
Either that or remove the variable from the default (/etc/default/isc-
dhcp-server).
---
Thank you.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1448657
Title:
isc-dhcp-server: Can't create PID file /run/dhcp-server/dhcpd.pid:
Permission denied
Status in isc-dhcp package in Ubuntu:
Confirmed
Bug description:
Just upgraded from 14-10 to 15-04, and now see the following in
syslog:
Apr 26 10:50:08 server kernel: [70470.960718] audit: type=1400
audit(1430045408.725:8): apparmor="DENIED" operation="capable"
profile="/usr/sbin/dhcpd" pid=8619 comm="dhcpd" capability=1 capname="dac_ove
rride"
Apr 26 10:50:08 server sh[8619]: Can't create PID file
/run/dhcp-server/dhcpd.pid: Permission denied.
Description: Ubuntu 15.04
Release: 15.04
isc-dhcp-server:
Installed: 4.3.1-5ubuntu2
----------- 8x -----------------
# cat /etc/default/isc-dhcp-server
# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPD_PID=/var/run/dhcpd.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES=""
----------- 8x -----------------
# ls -la /var/run
lrwxrwxrwx 1 root root 4 Oct 24 2013 /var/run -> /run
# ls -la /run/dhcp-server/
total 0
drwxr-xr-x 2 dhcpd dhcpd 40 Apr 26 10:59 .
drwxr-xr-x 34 root root 1060 Apr 26 11:33 ..
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1448657/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
