Ubuntu
apparmor package

[jaunty] AppArmor gets enabled on upgrade and breaks NetworkManager

Bug #342235 reported by Evan
0
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
dhcp3 (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: apparmor

After upgrading from Intrepid to Jaunty, AppArmor was enabled (my understanding is that it's disabled by default). I only found this because it appears to break NetworkManager in that when it's enabled, the policy prevents NetworkManager from getting a DHCP lease.

Attached is the relevant section of my syslog. The first attempt at connecting is with AppArmor enabled, the second attempt is with it disabled.

Related branches

lp:ubuntu/karmic/dhcp3
Revision history for this message
Evan (ev) wrote :
Revision history for this message
Evan (ev) wrote :

evan@candy:~$ dpkg --list | grep apparmor
ii apparmor 2.3+1289-0ubuntu8 User-space parser utility for AppArmor
ii apparmor-utils 2.3+1289-0ubuntu8 Utilities for controlling AppArmor
ii libapparmor-perl 2.3+1289-0ubuntu8 AppArmor library Perl bindings
ii libapparmor1 2.3+1289-0ubuntu8 changehat AppArmor library

Revision history for this message
Steve Beattie (sbeattie) wrote : Re: [Bug 342235] Re: [jaunty] AppArmor gets enabled on upgrade and breaks NetworkManager

Looking in the syslog you posted, this:

Mar 13 11:31:39 candy kernel: [ 2202.908747] type=1503 audit(1236943899.825:13): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/dbus/system_bus_socket" pid=7934 profile="/usr/lib/NetworkManager/nm-dhcp-client.action"

looks to be the probable source of the issue. Adding the line

  /var/run/dbus/system_bus_socket w,

to the /usr/lib/NetworkManager/nm-dhcp-client.action section of
/usr/lib/NetworkManager/nm-dhcp-client.action and reload the apparmor
policy by restarting the apparmor initscript should address it.

Thanks.

Revision history for this message
Steve Beattie (sbeattie) wrote :

> looks to be the probable source of the issue. Adding the line
>
> /var/run/dbus/system_bus_socket w,
>
> to the /usr/lib/NetworkManager/nm-dhcp-client.action section of
> /usr/lib/NetworkManager/nm-dhcp-client.action and reload the apparmor
> policy by restarting the apparmor initscript should address it.

Erk, a copy+waste error occurred, that should be "add the line
[above] to the /usr/lib/NetworkManager/nm-dhcp-client.action section of
/etc/apparmor.d/sbin.dhclient3 and reload [...]".

Time to get more coffee. Thanks.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Evan (ev)
Changed in apparmor:
status: New → Invalid
Revision history for this message
Evan (ev) wrote :

Whoops, forgot to mention that Steve's proposed fix works for me.

Jamie Strandboge (jdstrand)
Changed in dhcp3:
assignee: nobody → jdstrand
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dhcp3 - 3.1.1-5ubuntu7

---------------
dhcp3 (3.1.1-5ubuntu7) jaunty; urgency=low

  * debian/apparmor-profile.dhclient3: adjust to allow NetworkManager and
    connmann access to dbus (LP: #342235)

 -- Jamie Strandboge <email address hidden> Tue, 17 Mar 2009 17:26:19 -0500

Changed in dhcp3:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.