kernel: audit: type=1400 audit(1460259033.648:34): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13

Bug #1568485 reported by dino99
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Fix Released
High
Tyler Hicks
Trusty
Fix Released
Medium
Jorge Niedbalski
Wily
Won't Fix
Medium
Unassigned

Bug Description

Get this logged on a fully upgraded 64 desktop (proposed archive enabled)

kernel: audit: type=1400 audit(1460259033.648:34): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/sbin/dhclient" name="run/systemd/journal/dev-log" pid=1102 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor 2.10.95-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
Uname: Linux 4.4.0-18-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu1
Architecture: amd64
CurrentDesktop: GNOME
Date: Sun Apr 10 12:23:56 2016
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic root=UUID=7c755ed6-51cc-4b75-88ac-9c75acf82749 ro
SourcePackage: apparmor
Syslog:

UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
dino99 (9d9) wrote :
Revision history for this message
Christian Boltz (cboltz) wrote :

To get things working, add
    flags=(attach_disconnected)
to the profile and reload it.

Revision history for this message
dino99 (9d9) wrote :

Thanks Christian,

but i wonder where to set that setting. Is it into: /sys/kernel/security/apparmor/profiles
 or somewhere else ?
In fact it seems that there is no kernel's 'profile' set at all

Revision history for this message
John Johansen (jjohansen) wrote :

It needs to be set in the profile file
   /etc/apparmor.d/sbin.dhclient

apply the following change

--- a/sbin.dhclient 2016-02-25 06:32:17.000000000 -0800
+++ b/sbin.dhclient 2016-04-10 12:41:41.826906424 -0700
@@ -3,7 +3,7 @@
 # Author: Jamie Strandboge <email address hidden>
 #include <tunables/global>

-/sbin/dhclient {
+/sbin/dhclient flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/openssl>

Revision history for this message
dino99 (9d9) wrote :

Thanks John

have made the change:
#/sbin/dhclient {
  /sbin/dhclient flags=(attach_disconnected) {

and rebooted: the error is gone now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Paolo de Rosa (paolo-de-rosa) wrote :

I'm hitting the same bug, during the commissioning using trusty image in maas with wily kernel, due to intel NICs (supported only with kernel 4.2)

We hit the bug running dhclient:

root@messy-body:~# dhclient -nw eth2
dhclient: error while loading shared libraries: libc.so.6: cannot stat shared object: Permission denied

isc-dhcp-client 4.2.4-7ubuntu12.4

Revision history for this message
Tyler Hicks (tyhicks) wrote :

@dino99 - can you give any more details about how you're hitting this bug in Xenial? I've enabled -proposed and do not experience this denial.

Note that Paolo de Rosa is hitting it while provisioning a machine with MAAS.

Revision history for this message
dino99 (9d9) wrote :
Download full text (5.5 KiB)

@Tyler

this has happened on a single home desktop, which is a wily to xenial upgrade.
After following #4 howto (resumed in #5) the error is gone.

This is indeed only something i've discovered when browsing the journalctl. There was no sad effect detected previously finding that logged.
Actually there is still lot of apparmor's entries logged that should get some tweaks i suppose.

grep apparmor /var/log/syslog
Apr 12 09:03:19 u64 apparmor[423]: * Starting AppArmor profiles
Apr 12 09:03:19 u64 apparmor[423]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Apr 12 09:03:19 u64 apparmor[423]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Apr 12 09:03:19 u64 apparmor[423]: ...done.
Apr 12 09:03:19 u64 kernel: [ 16.971764] audit: type=1400 audit(1460444594.681:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=737 comm="apparmor_parser"
Apr 12 09:03:19 u64 kernel: [ 16.971772] audit: type=1400 audit(1460444594.681:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=737 comm="apparmor_parser"
Apr 12 09:03:19 u64 kernel: [ 16.971778] audit: type=1400 audit(1460444594.681:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=737 comm="apparmor_parser"
Apr 12 09:03:19 u64 kernel: [ 16.971783] audit: type=1400 audit(1460444594.681:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=737 comm="apparmor_parser"
Apr 12 09:03:19 u64 kernel: [ 17.053201] audit: type=1400 audit(1460444594.765:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/lightdm/lightdm-guest-session" pid=736 comm="apparmor_parser"
Apr 12 09:03:19 u64 kernel: [ 17.053208] audit: type=1400 audit(1460444594.765:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/lightdm/lightdm-guest-session//chromium" pid=736 comm="apparmor_parser"
Apr 12 09:03:19 u64 kernel: [ 17.120424] audit: type=1400 audit(1460444594.833:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=750 comm="apparmor_parser"
Apr 12 09:03:19 u64 kernel: [ 17.125640] audit: type=1400 audit(1460444594.837:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/telepathy/mission-control-5" pid=749 comm="apparmor_parser"
Apr 12 09:03:19 u64 kernel: [ 17.125647] audit: type=1400 audit(1460444594.837:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/telepathy/telepathy-*" pid=749 comm="apparmor_parser"
Apr 12 09:03:19 u64 kernel: [ 17.125652] audit: type=1400 audit(1460444594.837:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/telepathy/telepathy-*//pxgsettings" pid=749 comm="apparmor_parser"
Apr 12 09:04:29 u64 ureadahead[290]: ureadahead:apparmor_api: Ignored relative path
Apr 12 10:43:40 u64 apparmor[413]: * Starting AppArmor profiles
Apr 12 10:43:40 u64 apparmor[413]: Skipping profile in /etc/apparmor.d/disable: usr.bin.fire...

Read more...

Revision history for this message
Tyler Hicks (tyhicks) wrote :

@dino99 The apparmor="STATUS" messages are harmless. They're simply alerting you that an AppArmor profile has been loaded into the kernel.

Revision history for this message
Cody Pisto (cpisto) wrote :

Hitting this as well as of the recent upgrade to network manager (1.1.93) came along with #1569316

Revision history for this message
Cody Pisto (cpisto) wrote :

However, I still get an IP from dhcp, based on the logs, it seems dhclient retries this operation many times and it eventually succeeds. Maybe a race condition?

Revision history for this message
dino99 (9d9) wrote :

apparmor 2.10.95-0ubuntu2 might fix this issue (Bug #1569316)

Changed in apparmor (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
dino99 (9d9) wrote :

Feedback #13

Sadly the error is still logged:
kernel: audit: type=1400 audit(1460540782.347:30): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 p .....

/etc/apparmor.d/sbin.dhclient still has "/sbin/dhclient { " ; it should now use " /sbin/dhclient flags=(attach_disconnected) { " instead

apparmor (2.10.95-0ubuntu2)

Changed in apparmor (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

@dino99 the apparmor 2.10.95-0ubuntu2 upload was not intended to fix this bug. The dhclient profile is in the iscp-dhcp package and it will need to be updated.

affects: apparmor (Ubuntu) → isc-dhcp (Ubuntu)
Changed in isc-dhcp (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → High
status: Confirmed → In Progress
Tyler Hicks (tyhicks)
Changed in isc-dhcp (Ubuntu):
status: In Progress → Confirmed
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.3.3-5ubuntu12

---------------
isc-dhcp (4.3.3-5ubuntu12) xenial; urgency=medium

  * debian/apparmor/sbin.dhclient: Add the attach_disconnected flag to prevent
    disconnected path denials as seen with the new 1.1.93 based
    network-manager (LP: #1568485)

 -- Tyler Hicks <email address hidden> Wed, 13 Apr 2016 10:02:12 -0500

Changed in isc-dhcp (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jorge Niedbalski (niedbalski) wrote :
Changed in isc-dhcp (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jorge Niedbalski (niedbalski)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in isc-dhcp (Ubuntu Wily):
status: New → Confirmed
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello dino99, or anyone else affected,

Accepted isc-dhcp into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/isc-dhcp/4.2.4-7ubuntu12.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in isc-dhcp (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Mathew Hodson (mhodson)
Changed in isc-dhcp (Ubuntu Wily):
importance: Undecided → Medium
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : [isc-dhcp/trusty] possible regression found

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of isc-dhcp from trusty-proposed was performed and bug 1574226 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1574226 (not this bug). Thanks!

tags: added: verification-failed
tags: removed: verification-failed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

bug 1574226 appears to be a run-of-the-mill "something broke" report. The error message in the logs is:

invoke-rc.d: initscript isc-dhcp-server, action "start" failed.

The package in this SRU has the following change:

-/sbin/dhclient {
+/sbin/dhclient flags=(attach_disconnected) {

isc-dhcp-server is unrelated to this profile.

I think the best course of action is to remove the 'verification-failed' on this change, add bot-stop-nagging to bug 1574226 and ask pitti or the SRU team to re-investigate https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1529815

Logs: https://launchpadlibrarian.net/255808584/DpkgTerminalLog.txt
Debdiff: http://launchpadlibrarian.net/253957125/isc-dhcp_4.2.4-7ubuntu12.3_4.2.4-7ubuntu12.5.diff.gz

Thanks

dino99 (9d9)
Changed in isc-dhcp (Ubuntu Wily):
status: Confirmed → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.2.4-7ubuntu12.5

---------------
isc-dhcp (4.2.4-7ubuntu12.5) trusty; urgency=medium

  * debian/apparmor-profile.dhclient: Add the attach_disconnected flag to prevent
    disconnected path denials (LP: #1568485).

 -- Jorge Niedbalski <email address hidden> Fri, 15 Apr 2016 14:44:06 +0200

Changed in isc-dhcp (Ubuntu Trusty):
status: Fix Committed → Fix Released
Mathew Hodson (mhodson)
Changed in isc-dhcp (Ubuntu Wily):
status: Invalid → Won't Fix
Mathew Hodson (mhodson)
tags: removed: verification-needed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.