Apparmor nameservice denials
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
isc-kea (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack |
Bug Description
Two bugs have been reported in debian that affect the ubuntu packaging as well, since we share the same apparmor profile:
#1033640: kea-lfc missing read access to /etc/resolv.conf
[Wed Mar 29 08:05:59 2023] audit: type=1400 audit(168006996
apparmor="DENIED" operation="open" profile="kea-lfc"
name="/
denied_mask="r" fsuid=102 ouid=0
The existing apparmor profile expected /etc/resolv.conf to be a symlink to /run/systemd/
#1033639: kea-dhcp6-server wont start (apparmor and problems binding sockets)
[Tue Mar 28 10:40:14 2023] audit: type=1400 audit(167999281
apparmor="DENIED" operation="create" profile="kea-dhcp6" pid=1070
comm="kea-dhcp6" family="inet6" sock_type="dgram" protocol=0
requested_
The dhcp6 server wasn't well tested with apparmor, and missed the obvious inet6 requirement. It never showed up during development because the VMs where this was tested didn't have IPv6 enabled, which is an obvious mistake. In this case, the nameservice abstraction also takes care of adding the missing inet6 rule, and also solved the other errors the reporter was having.
They were fixed with https:/
description: | updated |
Changed in isc-kea (Ubuntu): | |
importance: | Undecided → High |
I'm uploading this directly since Paride reviewed the same change in debian in this MP: https:/ /salsa. debian. org/debian/ isc-kea/ -/merge_ requests/ 27