[Bug 863226] New: Dynamic DNS does not cooperate with DHCP If AppArmor is enabled
https://bugzilla.novell.com/show_bug.cgi?id=863226 https://bugzilla.novell.com/show_bug.cgi?id=863226#c0 Summary: Dynamic DNS does not cooperate with DHCP If AppArmor is enabled Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: jochen.herrmann@trace.ch QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 I tried to install on a 32 bit OS 13.1 DHCP and DNS via Yast 2 (Former dos & windows only user). Both work, but do not cooperate, so that the DNS is not updating its database concerning DHCP leases in the LAN. But it works when one switches off the AppArmor feature. I have 2 network cards installed, Squid and Firewall are running. 1 network card is connected to the router (external) and the other one is internal. More Information below (a link to the forum) Reproducible: Always Steps to Reproduce: In the forum, 1. page, last entry Actual Results: Using the workaround "Disable AppArmor" allows full functionality. I wrote about it first in the forum - here is the link: forums.opensuse.org/showthread.php/495147-OS13-1-DNS-External-name-resolution-works-but-absolutely-no-cooperation-with-the-DHCP/page1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c1
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c2
--- Comment #2 from Jochen Herrmann
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c3
Jochen Herrmann
Jochen, can you please re-enable AppArmor and switch the involved profiles to complain mode (that means: allow everything, but write it to the logfile). As I get an error in command mode I enabled it in Yast2->AppArmor Config->Settings. I have set in profiles mode all to complain mode.
aa-complain /etc/apparmor.d/usr.sbin.named
usr.bin.named does not exist
(if dhcpd also has a profile, please also switch it to complain mode) no profile as far as I could see
After that, restart named and dhcpd (or restart your computer to make sure all running processes have their AppArmor profile applied) and do the "steps to reproduce". This time, everything should be allowed. If something is still blocked, have a look at the logs - maybe you need to switch another profile to complain mode. Have restarted all PC's in our LAN and tried to see whether I could see in Dolphin all PC'S under Network and /or Samba. IT seems to work. But I think that this is not really a proof. For this I need to clean all the local PC's cachces first, right ? Is there any way to look into the DNS database? That would make it easier to verify this specific functionality.
Then get the AppArmor log, which can be: - /var/log/audit/audit.log if you have auditd running - /var/log/messages if you have a syslog daemon running (grep for "apparmor") Have transfered this one. Hope it helps. - journalctl output, if you don't have one of the above (grep for "apparmor")
Finally attach the log to this bugreport so that I can have a look at it ;-)
Kind Regards, Jochen -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c4
--- Comment #4 from Christian Boltz
aa-complain /etc/apparmor.d/usr.sbin.named
usr.bin.named does not exist
IIRC it is (or was?) part of the bind package. But well, if it's not there, it can't cause the problem ;-)
Have restarted all PC's in our LAN and tried to see whether I could see in Dolphin all PC'S under Network and /or Samba. IT seems to work. But I think that this is not really a proof. For this I need to clean all the local PC's cachces first, right ? Is there any way to look into the DNS database? That would make it easier to verify this specific functionality.
Rebooting should be enough (at least I think so - I don't know the internals of nscd). I even tend to say rebooting all PCs in the LAN was a bit too much ;-) That said - it looks like a problem with the nscd profile - that's the only profile that had some lines in your log. The relevant lines from your logfile are: .. apparmor="ALLOWED" operation="open" parent=1 profile="/usr/sbin/nscd" name="/usr/share/samba/codepages/upcase.dat" pid=594 comm="nscd" requested_mask="r" denied_mask="r" fsuid=495 ouid=0 .. apparmor="ALLOWED" operation="open" parent=1 profile="/usr/sbin/nscd" name="/usr/share/samba/codepages/lowcase.dat" pid=594 comm="nscd" requested_mask="r" denied_mask="r" fsuid=495 ouid=0 .. apparmor="ALLOWED" operation="open" parent=1 profile="/usr/sbin/nscd" name="/etc/samba/dhcp.conf" pid=594 comm="nscd" requested_mask="r" denied_mask="r" fsuid=495 ouid=0 It seems nscd needs to read some samba-related files. Please edit /etc/apparmor.d/usr.sbin.nscd and add /usr/share/samba/codepages/upcase.dat r, /usr/share/samba/codepages/lowcase.dat r, /etc/samba/dhcp.conf r, Afterwards, switch all profiles into enforce mode (with aa-enforce or YaST) and reload them with "rcapparmor reload" (or reboot). Does everything still work afterwards? (If not, please attach the fresh log.) BTW: your log contains lots of IPv4: martian source 192.168.0.255 from 192.168.0.20, on dev enp5s12 lines. This indicates a problem with your network config - not related to this bug, but you should check it nevertheless ;-) (ask on the mailinglist or in the forums if you need help to get it fixed) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c5
Jochen Herrmann
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c6
--- Comment #6 from Christian Boltz
have done what you suggested (edit /etc/apparmor.d/usr.sbin.nscd, restart with enforce mode) and now it seems to work - can see in the Lan all PC's and even all Samba clients are displayed in Dolphin.
:-) Note to myself: abstractions/winbind (which is included in the nscd profile via abstractions/nameservice) seems to be the better place for the additions because it already contais similar rules for samba-related files.
Btw. The martian invasion could also been stopped. It was caused by an manual ip address that I have once used in the Network Manager (not ifup) to connect to a switch and which I thought got deleted or deactivated when I switched from "Manual" back to "Automatic (DHCP)" mode. But obviously changing the mode only hides manually set ip's , but lets them active.
Sounds interesting[tm] - IMHO you should open a bugreport for NetworkManager ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c7
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c8
--- Comment #8 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c9
--- Comment #9 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=863226
https://bugzilla.novell.com/show_bug.cgi?id=863226#c10
--- Comment #10 from Bernhard Wiedemann
http://bugzilla.novell.com/show_bug.cgi?id=863226
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=863226
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=863226
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=863226
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=863226
--- Comment #11 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=863226
--- Comment #12 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=863226
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=863226
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com