1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1103503: isc-dhcp-client: In /etc/apparmor.d/local, sbin.dhclient s

    From intrigeri@21:1/5 to All on Fri Apr 18 13:50:01 2025
    Control: tag -1 + moreinfo

    Hi,

    At first glance, given how dh_apparmor manages the snippets in /etc/apparmor.d/local, it may not be trivial to rename the /etc/apparmor.d/local/sbin.dhclient file, so I agree with the initial
    wishlist severity.

    However if the inconsistency indeed causes RC-buggy behavior,
    maybe it's worth doing:

    Vincent Lefevre (2025-04-18):
    as this yields a broken configuration if the dhclient files had
    been removed before the upgrade (seen on one of my machines).

    I suspect the maintainers will need more info here, such as:

    What dhclient files have been removed before the upgrade?

    How were they removed?

    Can you please describe how the resulting configuration is broken?

    Cheers,
    --
    intrigeri

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vincent Lefevre@21:1/5 to intrigeri on Sat Apr 19 02:00:01 2025
    On 2025-04-18 13:40:01 +0200, intrigeri wrote:
    What dhclient files have been removed before the upgrade?

    /etc/apparmor.d/sbin.dhclient
    /etc/apparmor.d/local/sbin.dhclient

    How were they removed?

    With "rm".

    Can you please describe how the resulting configuration is broken?

    After the upgrade, I just have

    cventin:~> ll /etc/apparmor.d/**/*dhclient*
    -rw-r--r-- 1 root root 3590 2025-04-04 16:49:15 /etc/apparmor.d/usr.sbin.dhclient

    The one under /etc/apparmor.d/local is absent, though /etc/apparmor.d/usr.sbin.dhclient does

    #include <local/sbin.dhclient>

    (without 'if exists').

    --
    Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
    100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
    Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From intrigeri@21:1/5 to All on Tue Apr 22 12:00:01 2025
    Hi,

    Vincent Lefevre (2025-04-19):
    On 2025-04-18 13:40:01 +0200, intrigeri wrote:
    What dhclient files have been removed before the upgrade?

    /etc/apparmor.d/sbin.dhclient
    /etc/apparmor.d/local/sbin.dhclient

    How were they removed?

    With "rm".

    OK, then FWIW I don't think severity serious is justified: you've
    manually deleted a file (/etc/apparmor.d/local/sbin.dhclient) created
    by maintainer scripts. I'm not the maintainer so this is just my
    personal opinion.

    Can you please describe how the resulting configuration is broken?

    After the upgrade, I just have

    cventin:~> ll /etc/apparmor.d/**/*dhclient*
    -rw-r--r-- 1 root root 3590 2025-04-04 16:49:15 /etc/apparmor.d/usr.sbin.dhclient

    The one under /etc/apparmor.d/local is absent, though /etc/apparmor.d/usr.sbin.dhclient does

    #include <local/sbin.dhclient>

    I think the maintainers will want to know what's the actual impact
    of this.

    I suppose it makes apparmor.service fail to start?
    Anything else?

    (without 'if exists').

    Indeed, using "if exists" would help here.

    Cheers,
    --
    intrigeri

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Hofstaedtler@21:1/5 to All on Mon Apr 28 08:50:01 2025
    Control: severity -1 normal

    The file was renamed back in 4.4.3-P1-7. Lowering severity, as
    supposedly the situation caused by the rename should only affect
    unstable users.

    Chris

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vincent Lefevre@21:1/5 to Vincent Lefevre on Fri May 9 12:30:01 2025
    On 2025-04-22 13:01:02 +0200, Vincent Lefevre wrote:
    I suppose it makes apparmor.service fail to start?

    No, I don't see any error with apparmor.service (and the documentation
    does not suggest that there would be a fatal error for that).

    It actually fails to start (I had forgotten to restart the apparmor
    service or might have looked at the logs on another machine). Here's
    the error I can see in the journalctl output:

    May 09 12:13:00 cventin apparmor.systemd[872]: AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.sbin.dhclient at line 76: Could not open 'local/sbin.dhclient'
    May 09 12:13:01 cventin apparmor.systemd[736]: Error: At least one profile failed to load
    May 09 12:13:01 cventin systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
    May 09 12:13:01 cventin systemd[1]: apparmor.service: Failed with result 'exit-code'.
    May 09 12:13:01 cventin systemd[1]: Failed to start apparmor.service - Load AppArmor profiles.
    May 09 12:13:01 cventin systemd[1]: apparmor.service: Consumed 1.495s CPU time, 47.8M memory peak.

    --
    Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
    100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
    Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)