http://bugzilla.opensuse.org/show_bug.cgi?id=1186711 Bug ID: 1186711 Summary: apparmor change breaks dnsmasq dhcp-script execution Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: michael@actrix.gen.nz QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I did a zypper dup on a aarch64 Raspberry-Pi to take it from TW release 20210429 to 20210517. After the update+reboot my dhcp-script=/usr/local/sbin/dhcp-script stopped working (configured in /etc/dnsmasq.d/local.conf). Using journalctl I can see the following error: Jun 01 17:37:15 luna9 dnsmasq[27120]: failed to execute /usr/local/sbin/dhcp-script: Permission denied After some investigation of permissions via ls and aa-logprof, I found I could get the script running again by editing /etc/apparmor.d/local/usr.sbin.dnsmasq and adding the following lines: /usr/local/sbin/dhcp-script Uxr, From /var/log/zypp/history I can see that dnsmasq was not updated by the dup, so that makes me suspect that problem is due to an update to apparmor-profiles or related packages. Has anything changed recently in apparmor that could have caused dnsmasq to not be able to execute a script unless it has an entry in /etc/apparmor.d/local/usr.sbin.dnsmasq? (In diagnosing this error I was also puzzled how the script was working in the first place. I found my original script was only accessible by root, but I then noticed dnsmasq parent process is root owned, so presumably the script is being run as root and not as the dnsmasq user.) -- You are receiving this mail because: You are on the CC list for the bug.