Package: isc-dhcp-client
Version: 4.4.3-P1-7
Severity: wishlist

In /etc/apparmor.d, sbin.dhclient was renamed to usr.sbin.dhclient,
so I suppose that the same rename should be done in
/etc/apparmor.d/local (this is like that for the other files
in /etc/apparmor.d/local). And in /etc/apparmor.d/usr.sbin.dhclient,

#include <local/sbin.dhclient>

should be changed to

#include <local/usr.sbin.dhclient>

-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.22-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages isc-dhcp-client depends on:
ii debianutils 5.22
ii iproute2 6.14.0-3
ii libc6 2.41-7

Versions of packages isc-dhcp-client recommends:
ii isc-dhcp-common 4.4.3-P1-7

Versions of packages isc-dhcp-client suggests:
pn avahi-autoipd <none>
pn isc-dhcp-client-ddns <none>
pn resolvconf <none>

-- no debconf information

--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Control: severity -1 serious

as this yields a broken configuration if the dhclient files had
been removed before the upgrade (seen on one of my machines).

--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 2025-04-22 11:52:24 +0200, intrigeri wrote:

Vincent Lefevre (2025-04-19):

On 2025-04-18 13:40:01 +0200, intrigeri wrote:

What dhclient files have been removed before the upgrade?

/etc/apparmor.d/sbin.dhclient
/etc/apparmor.d/local/sbin.dhclient

How were they removed?

With "rm".

OK, then FWIW I don't think severity serious is justified: you've
manually deleted a file (/etc/apparmor.d/local/sbin.dhclient) created
by maintainer scripts. I'm not the maintainer so this is just my
personal opinion.

I disagree. It is the right of the user to remove configuration files,
as long as this is done in a consistent way. Packages must be able to
cope with that (re-adding the main file but not the associated local
one is not correct).

Can you please describe how the resulting configuration is broken?

After the upgrade, I just have

cventin:~> ll /etc/apparmor.d/**/*dhclient*
-rw-r--r-- 1 root root 3590 2025-04-04 16:49:15 /etc/apparmor.d/usr.sbin.dhclient

The one under /etc/apparmor.d/local is absent, though /etc/apparmor.d/usr.sbin.dhclient does

#include <local/sbin.dhclient>

I think the maintainers will want to know what's the actual impact
of this.

I suppose it makes apparmor.service fail to start?

No, I don't see any error with apparmor.service (and the documentation
does not suggest that there would be a fatal error for that).

Anything else?

The apparmor.d(5) man page says:

The leading '#' is optional, and the '#include' keyword can be
followed by an option conditional 'if exists' that specifies profile
compilation should continue if the specified file or directory is not
found.

So, a missing file without "if exists" would stop the compilation of
the profile. I don't know what this implies in practice.

--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Control: tags -1 - moreinfo + patch
Control: severity -1 serious
Justification: Causes the apparmor service to crash on fresh Trixie installations

Hi,

I think this issue is Severity: serious because if the isc-dhcp-client
is installed on a *fresh* Trixie installation, the /etc/apparmor.d/local/sbin.dhclient file is never created but is still referenced by the /etc/apparmor.d/usr.sbin.dhclient file, which causes
the apparmor service to crash. This MR should hopefully fix it:

https://salsa.debian.org/debian/isc-dhcp/-/merge_requests/16

I have tested this in a fresh VM for both upgrades and fresh
installations and everything seems to work as expected.

Best regards

Alexander Kurtz

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+DNlMSKIDZ1tz4e4KZScQvp1/pEFAmgWXewACgkQKZScQvp1 /pF/Wg//UHacitlf5JV+ncHQxd3ErKWsgBseG2eM53uu84pO+4Gjwd+55Iwp6LoQ CeDt6Yolf2C4TXK80JCe7ZuYTJ7rtdsNoaYQ8JTWsgsHVFQhHEX8rD+XFhO/uDRK HByHRZ35hapDFK8FE2fTjeAQN7wc8VBLY9rNrNJrk0Hp+0aFO0jRh5o0aYq2RRUK Fe7f3b/GKe1dRlQ8Y9DqnFfQV1sGow/Rhj7bV+syBJwUUHxKgKWTpXwO4DUgwlbJ 3qke5dX1oq36AETEuK+kMIZiUwyJYwdCkYqXlJAonbZmvfvpVSUn0aaY9RNxPKum rPmPV4GBNj2euHjfrlZsz7JX/GxnJZODrUKPVXtTz2VyeH/ye8lir3nIC7GiyHta v+YSwaLvv1B459YFZ3G5v77KRl2aaMkmQ/gHHFYT/asfR0091xS1Nsp7zIAinCJi nE3x9c0Fv46vQQQ3qGqdim9htaBm1lwLMTaHKph/7s3RPxkLXqN/5aqxx8eXFl21 1nuGWpXq/TArZbmErUBGJ1CoUnD9yVxijns6FcVgzP/S7LeFJJjx49l9j7UlOBqA 6bXHv8w+RBV4f320a64YlHLo2SpvX3CS7M/oRqOp5obb3KxvvzsIEmktHeD6GOU8 mEhAjTyNSt0MuauNFnuh180wjt5TUnoH8cKLFe+mAwH5XXHUhcM=
=uAPw
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)