profile for usr.sbin.dnsmasq needs adjustment

Can you add the following to your profile:
  /var/run/dnsmasq*.pid w,

Then perform in a terminal:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.dnsmasq

and report back if it fixes it for you?

SRU REQUEST

1. dnsmasq profile does not work when using a wireless interface. Fix is trivial.

2. The fix is not in Lucid yet

3. The fix is to adjust profiles/apparmor.d/usr.sbin.dnsmasq:
- /var/run/dnsmasq.pid w,
+ /var/run/dnsmasq*.pid w,

4. TEST CASE:
- apt-get install apparmor-profiles dnsmasq
- enable the dnsmasq profile with 'aa-enforce /etc/apparmor.d/usr.sbin.dnsmasq'
- bring up a wireless interface

5. The regression potential is very low. We only allow access to files that we didn't previously have access to and the dnsmasq profile is a complain-mode file in the default install.

Uploaded apparmor_2.3.1+1403-0ubuntu27.1 to karmic-proposed.

Accepted apparmor into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu28

---------------
apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low

  [ Jamie Strandboge ]
  * update skype profile in extras. Based on work by Андрей Калинин.
    (LP: #226624)
  * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778)
  * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and
    epiphany-webkit were already present, but the recent changes in
    epiphany packaging require /usr/bin/epiphany) (LP: #472952)
  * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818)
  * abstractions/gnome: allow access to ~/.themes (LP: #460125)
  * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config
    (LP: #447006)

  [ Marc Deslauriers ]
  * utils/Subdomain.pm: don't skip reading profiles that are also in the
    cache directory (LP: #446449)
  * utils/Subdomain.pm: correctly parse PUxr modes
  * utils/Subdomain.pm: support include directories

 -- Jamie Strandboge <email address hidden> Wed, 04 Nov 2009 11:02:27 -0600

Updated test case:
- apt-get install apparmor-profiles dnsmasq
- enable the dnsmasq profile with 'aa-enforce /etc/apparmor.d/usr.sbin.dnsmasq'
- sudo /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d
- sudo /usr/sbin/dnsmasq -x /var/run/nm-dnsmasq.wlan0.pid -u dnsmasq -7 /etc/dnsmasq.d

While the profile addressed the original reporter's claim that /var/run/dsnmasq.wlan0.pid is the pid to look for, looking in the attached dmesg output and doing 'sudo /etc/init.d/dnsmasq start' showed additional locations for pidfiles and config files. The updated profile should have these additions:
  capability dac_override,
  /etc/dnsmasq.d/ r,
  /etc/dnsmasq.d/* r,
  /var/run/*dnsmasq*.pid w,
  /var/run/dnsmasq/ r,
  /var/run/dnsmasq/* rw,

At present, the profile is useless without these additions, as dnsmasq won't even start when the profile is in enforce mode.

I uploaded 2.3.1+1403-0ubuntu27.2. See the attached debdiff between 2.3.1+1403-0ubuntu27.1 and 2.3.1+1403-0ubuntu27.2.

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu29

---------------
apparmor (2.3.1+1403-0ubuntu29) lucid; urgency=low

  * parser/Makefile: generate af_names.h based on bits/socket.h since
    linux/socket.h no longer has what we need (LP: #474751)
  * usr.sbin.dnsmasq: fully address LP: #445818
    - more pidfile refinements
    - allow access to /var/run/dnsmasq
    - allow access to /etc/dnsmasq.d
    - allow dac_override so it can write its pidfile

 -- Jamie Strandboge <email address hidden> Wed, 04 Nov 2009 17:07:23 -0600

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu27.1

---------------
apparmor (2.3.1+1403-0ubuntu27.1) karmic-proposed; urgency=low

  [ Jamie Strandboge ]
  * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778)
  * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and
    epiphany-webkit were already present, but the recent changes in
    epiphany packaging require /usr/bin/epiphany) (LP: #472952)
  * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818)
  * abstractions/gnome: allow access to ~/.themes (LP: #460125)
  * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config
    (LP: #447006)

  [ Marc Deslauriers ]
  * utils/Subdomain.pm: don't skip reading profiles that are also in the
    cache directory (LP: #446449)
  * utils/Subdomain.pm: correctly parse PUxr modes
  * utils/Subdomain.pm: support include directories

 -- Jamie Strandboge <email address hidden> Tue, 03 Nov 2009 14:30:19 -0600

Accepted apparmor into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

2.3.1+1403-0ubuntu27.2 allows dnsmasq to work via its initscript and the test case in comment #7.

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu27.2

---------------
apparmor (2.3.1+1403-0ubuntu27.2) karmic-proposed; urgency=low

  * usr.sbin.dnsmasq: fully address LP: #445818
    - more pidfile refinements
    - allow access to /var/run/dnsmasq
    - allow access to /etc/dnsmasq.d
    - allow dac_override so it can write its pidfile

 -- Jamie Strandboge <email address hidden> Wed, 04 Nov 2009 13:16:21 -0600

I'm not sure if this is the reason why in the last update to dnsmasq it won't start during boot anymore. I have to restart the process after boot.

Jeremy,

Are you getting AppArmor rejects? They should show up in the output of dmesg.

Can you run

apport-collect -p apparmor 445818

I meant this update to apparmor stopped dnsmasq for me.

Architecture: amd64
DistroRelease: Ubuntu 9.10
Package: apparmor 2.3.1+1403-0ubuntu27.2
PackageArchitecture: amd64
ProcCmdline: root=UUID=af17c779-4b6b-407a-a2fe-5ffc00d6b536 ro quiet splash
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=en_US
 LANGUAGE=en_US:en
ProcVersionSignature: Ubuntu 2.6.31-15.50-generic
Uname: Linux 2.6.31-15-generic x86_64
UserGroups: adm admin audio backup bin cdrom dialout dip disk floppy fuse games haldaemon irc klog kmem kqemu kvm libvirtd lp lpadmin mail netdev operator plugdev powerdev pulse pulse-access root rtkit sambashare sasl scanner ssh ssl-cert staff sudo sys syslog tape tty uml-net video voice www-data