Bug ID | 1186711 |
---|---|
Summary | apparmor change breaks dnsmasq dhcp-script execution |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | openSUSE Tumbleweed |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | AppArmor |
Assignee | suse-beta@cboltz.de |
Reporter | michael@actrix.gen.nz |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
I did a zypper dup on a aarch64 Raspberry-Pi to take it from TW release 20210429 to 20210517. After the update+reboot my dhcp-script=/usr/local/sbin/dhcp-script stopped working (configured in /etc/dnsmasq.d/local.conf). Using journalctl I can see the following error: Jun 01 17:37:15 luna9 dnsmasq[27120]: failed to execute /usr/local/sbin/dhcp-script: Permission denied After some investigation of permissions via ls and aa-logprof, I found I could get the script running again by editing /etc/apparmor.d/local/usr.sbin.dnsmasq and adding the following lines: /usr/local/sbin/dhcp-script Uxr, From /var/log/zypp/history I can see that dnsmasq was not updated by the dup, so that makes me suspect that problem is due to an update to apparmor-profiles or related packages. Has anything changed recently in apparmor that could have caused dnsmasq to not be able to execute a script unless it has an entry in /etc/apparmor.d/local/usr.sbin.dnsmasq? (In diagnosing this error I was also puzzled how the script was working in the first place. I found my original script was only accessible by root, but I then noticed dnsmasq parent process is root owned, so presumably the script is being run as root and not as the dnsmasq user.)