Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1055067: isc-dhcp-client: network-manager 1.44.2-3 changed path to nm-dhcp-helper, apparmor need update
280 views
Skip to first unread message
Sven-Haegar Koch
Oct 30, 2023, 1:40:06 PM10/30/23
to
Package: isc-dhcp-client
Version: 4.4.3-P1-4
Severity: normal
Dear Maintainer,
I am using network manager with /etc/NetworkManager/NetworkManager.conf
[main]
dhcp=dhclient
and thus using isc-dhcp-client as my DHCP client.
With the update of network-manager 1.44.2-3 the nm-dhcp-helper moved
from /usr/lib/NetworkManager/ to /usr/libexec/.
Without a fix to /etc/apparmor.d/sbin.dhclient the system now fails to
activate interfaces using DHCP, logging
audit: type=1400 audit(1698680734.539:50): apparmor="DENIED" operation="exec" class="file" profile="/{,usr/}sbin/dhclient" name="/usr/libexec/nm-dhcp-helper" pid=7523 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
The following diff fixes it for me - just duplicating the existing
rules to the new path:
diff --git a/etc/apparmor.d/sbin.dhclient b/etc/apparmor.d/sbin.dhclient
index 1acc6b92..b219d688 100644
--- a/etc/apparmor.d/sbin.dhclient
+++ b/etc/apparmor.d/sbin.dhclient
@@ -69,6 +69,8 @@
# Support the new executable helper from NetworkManager.
/usr/lib/NetworkManager/nm-dhcp-helper Pxrm,
signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
+ /usr/libexec/nm-dhcp-helper Pxrm,
+ signal (receive) peer=/usr/libexec/nm-dhcp-helper,
# Site-specific additions and overrides. See local/README for details.
#include <local/sbin.dhclient>
@@ -101,6 +103,21 @@
network inet6 dgram,
}
+/usr/libexec/nm-dhcp-helper {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+ /usr/libexec/nm-dhcp-helper mr,
+
+ /run/NetworkManager/private-dhcp rw,
+ signal (send) peer=/sbin/dhclient,
+
+ /var/lib/NetworkManager/*lease r,
+ signal (receive) peer=/usr/sbin/NetworkManager,
+ ptrace (readby) peer=/usr/sbin/NetworkManager,
+ network inet dgram,
+ network inet6 dgram,
+}
+
/usr/lib/connman/scripts/dhclient-script {
#include <abstractions/base>
#include <abstractions/dbus>
Greetings,
Sven
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages isc-dhcp-client depends on:
ii debianutils 5.14
ii iproute2 6.5.0-5
ii libc6 2.37-12
Versions of packages isc-dhcp-client recommends:
ii isc-dhcp-common 4.4.3-P1-4
Versions of packages isc-dhcp-client suggests:
pn avahi-autoipd <none>
pn isc-dhcp-client-ddns <none>
ii resolvconf 1.91+nmu1
-- Configuration Files:
/etc/apparmor.d/sbin.dhclient changed [not included]
/etc/dhcp/dhclient.conf changed [not included]
-- no debconf information
Version: 4.4.3-P1-4
Severity: normal
Dear Maintainer,
I am using network manager with /etc/NetworkManager/NetworkManager.conf
[main]
dhcp=dhclient
and thus using isc-dhcp-client as my DHCP client.
With the update of network-manager 1.44.2-3 the nm-dhcp-helper moved
from /usr/lib/NetworkManager/ to /usr/libexec/.
Without a fix to /etc/apparmor.d/sbin.dhclient the system now fails to
activate interfaces using DHCP, logging
audit: type=1400 audit(1698680734.539:50): apparmor="DENIED" operation="exec" class="file" profile="/{,usr/}sbin/dhclient" name="/usr/libexec/nm-dhcp-helper" pid=7523 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
The following diff fixes it for me - just duplicating the existing
rules to the new path:
diff --git a/etc/apparmor.d/sbin.dhclient b/etc/apparmor.d/sbin.dhclient
index 1acc6b92..b219d688 100644
--- a/etc/apparmor.d/sbin.dhclient
+++ b/etc/apparmor.d/sbin.dhclient
@@ -69,6 +69,8 @@
# Support the new executable helper from NetworkManager.
/usr/lib/NetworkManager/nm-dhcp-helper Pxrm,
signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
+ /usr/libexec/nm-dhcp-helper Pxrm,
+ signal (receive) peer=/usr/libexec/nm-dhcp-helper,
# Site-specific additions and overrides. See local/README for details.
#include <local/sbin.dhclient>
@@ -101,6 +103,21 @@
network inet6 dgram,
}
+/usr/libexec/nm-dhcp-helper {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+ /usr/libexec/nm-dhcp-helper mr,
+
+ /run/NetworkManager/private-dhcp rw,
+ signal (send) peer=/sbin/dhclient,
+
+ /var/lib/NetworkManager/*lease r,
+ signal (receive) peer=/usr/sbin/NetworkManager,
+ ptrace (readby) peer=/usr/sbin/NetworkManager,
+ network inet dgram,
+ network inet6 dgram,
+}
+
/usr/lib/connman/scripts/dhclient-script {
#include <abstractions/base>
#include <abstractions/dbus>
Greetings,
Sven
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages isc-dhcp-client depends on:
ii debianutils 5.14
ii iproute2 6.5.0-5
ii libc6 2.37-12
Versions of packages isc-dhcp-client recommends:
ii isc-dhcp-common 4.4.3-P1-4
Versions of packages isc-dhcp-client suggests:
pn avahi-autoipd <none>
pn isc-dhcp-client-ddns <none>
ii resolvconf 1.91+nmu1
-- Configuration Files:
/etc/apparmor.d/sbin.dhclient changed [not included]
/etc/dhcp/dhclient.conf changed [not included]
-- no debconf information
Jan Larres
Nov 19, 2023, 10:40:06 PM11/19/23
to
Package: isc-dhcp-client
Version: 4.4.3-P1-4
Followup-For: Bug #1055067
Version: 4.4.3-P1-4
Followup-For: Bug #1055067
I can confirm this, after a recent upgrade I lost network
connectivity and it took some digging to determine the cause.
Using dhclient with NetworkManager is probably not uncommon
(especially since it's NetworkManager's default behaviour if
dhclient is installed), so this should probably be fixed soon so
that other people don't suddenly lose their network as well.
Cheers,
Jan
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (102, 'experimental')
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (102, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en
Kernel taint flags: TAINT_WARN
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages isc-dhcp-client depends on:
ii debianutils 5.14
ii iproute2 6.6.0-1
ii libc6 2.37-12
Versions of packages isc-dhcp-client recommends:
ii isc-dhcp-common 4.4.3-P1-4
Versions of packages isc-dhcp-client suggests:
ii avahi-autoipd 0.8-13
pn isc-dhcp-client-ddns
ii systemd-resolved [resolvconf] 255~rc2-2
pn isc-dhcp-client-ddns
ii systemd-resolved [resolvconf] 255~rc2-2
-- Configuration Files:
/etc/apparmor.d/sbin.dhclient changed [not included]
-- no debconf information
Vincent Lefevre
Nov 22, 2023, 2:30:05 PM11/22/23
to
On 2023-11-22 17:33:34 +0100, Eric Valette wrote:
> Is is allowed to put a versioned break on a non existing version? Result is
> that I cannot upgrade as I still need dhcp.
In any case, if you upgrade network-manager, this will not work
with the current isc-dhcp-client.
--
Vincent Lefèvre <vin...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
> Is is allowed to put a versioned break on a non existing version? Result is
> that I cannot upgrade as I still need dhcp.
In any case, if you upgrade network-manager, this will not work
with the current isc-dhcp-client.
--
Vincent Lefèvre <vin...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
0 new messages