Bug ID 1186711
Summary apparmor change breaks dnsmasq dhcp-script execution
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS openSUSE Tumbleweed
Status NEW
Severity Normal
Priority P5 - None
Component AppArmor
Assignee suse-beta@cboltz.de
Reporter michael@actrix.gen.nz
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

I did a zypper dup on a aarch64 Raspberry-Pi to take it from TW release
20210429 to 20210517.  After the update+reboot my
dhcp-script=/usr/local/sbin/dhcp-script stopped working (configured in
/etc/dnsmasq.d/local.conf).  Using journalctl I can see the following error:

    Jun 01 17:37:15 luna9 dnsmasq[27120]: failed to execute
/usr/local/sbin/dhcp-script: Permission denied

After some investigation of permissions via ls and aa-logprof, I found I could
get the script running again by editing /etc/apparmor.d/local/usr.sbin.dnsmasq
and adding the following lines:

     /usr/local/sbin/dhcp-script Uxr,

From /var/log/zypp/history I can see that dnsmasq was not updated by the dup,
so that makes me suspect that problem is due to an update to apparmor-profiles
or related packages.

Has anything changed recently in apparmor that could have caused dnsmasq to not
be able to execute a script unless it has an entry in
/etc/apparmor.d/local/usr.sbin.dnsmasq?

(In diagnosing this error I was also puzzled how the script was working in the
first place. I found my original script was only accessible by root, but I then
noticed dnsmasq parent process is root owned, so presumably the script is being
run as root and not as the dnsmasq user.)

You are receiving this mail because: