https://bugzilla.novell.com/show_bug.cgi?id=692428
https://bugzilla.novell.com/show_bug.cgi?id=692428#c0
Summary: AppArmor usr.sbin.dhcpd needs modification (one
solution supplied)
Classification: openSUSE
Product: openSUSE 11.4
Version: Final
Platform: x86-64
OS/Version: openSUSE 11.4
Status: NEW
Severity: Normal
Priority: P5 - None
Component: AppArmor
AssignedTo: jeffm@novell.com
ReportedBy: suseforum@roocomputing.co.uk
QAContact: qa@suse.de
Found By: ---
Blocker: ---
User-Agent: Opera/9.80 (X11; Linux x86_64; U; en-GB) Presto/2.8.131
Version/11.10
FYI
** I was getting multiple dhcpd errors.
I copied:
/etc/apparmour/profiles/extras/usr.sbin.dhcpd
to
/etc/apparmour.d/
because it was missing
then changed it as follows:
OLD --> NEW
--- /etc/apparmor/profiles/extras/usr.sbin.dhcpd 2011-02-23
11:49:51.000000000 +0000
+++ /etc/apparmor.d/usr.sbin.dhcpd 2011-05-07 09:54:30.000000000 +0100
@@ -1,33 +1,39 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include
/usr/sbin/dhcpd {
#include
#include
capability dac_override,
capability net_bind_service,
capability net_raw,
capability setgid,
capability setuid,
capability sys_chroot,
+ network inet raw,
+ network packet raw,
+
/db/dhcpd.leases* lrw,
/etc/dhcpd.conf r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/usr/sbin/dhcpd rmix,
- /var/lib/dhcp/dhcpd.leases* rwl,
+ /var/lib/dhcp/db/dhcpd.leases* rwl,
/var/lib/dhcp/etc/dhcpd.conf r,
/var/run/dhcpd.pid wl,
+ /etc/named.d/*tsig r,
+
+ @{PROC}/[0-9]*/net/dev r,
}
Hope this helps.
Reproducible: Always
Steps to Reproduce:
1.Use /etc/apparmour/profiles/extras/usr.sbin.dhcpd supplied with 11.4
2.rcapparmor restart
3.rcdhcpd restart
4.tail /var/log/audit/audit.log
5.tail /var/log/messages
Actual Results:
**Note these errors were incrementally displayed over a number of iterations as
I went through the dhcpd config and fixed each error in turn ***
dhcpd: Can't create PID file /var/run/dhcpd.pid: Permission denied.
dhcpd: Can't open /etc/named.d//roo_tsig: Permission denied
dhcpd: unable to create icmp socket: Permission denied
dhcpd: Can't open lease database /var/lib/dhcp/db/dhcpd.leases: Permission
denied --
dhcpd: Error opening '/proc/net/dev' to list interfaces
dhcpd: Can't get list of interfaces.
dhcpd: Open a socket for LPF: Permission denied
Expected Results:
No errors in /var/log/messages
Note that the
/etc/named.d/*tsig r,
line is from my personal dhcpd <--> named setup so a generic solution would
have to be tied back to the key generating activity in YAST:
YAST > Network Services > DNS Server > TSIG Keys
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.