• Bug#1103503: isc-dhcp-client: In /etc/apparmor.d/local, sbin.dhclient s

    From Vincent Lefevre@21:1/5 to All on Fri Apr 18 11:20:01 2025
    Package: isc-dhcp-client
    Version: 4.4.3-P1-7
    Severity: wishlist

    In /etc/apparmor.d, sbin.dhclient was renamed to usr.sbin.dhclient,
    so I suppose that the same rename should be done in
    /etc/apparmor.d/local (this is like that for the other files
    in /etc/apparmor.d/local). And in /etc/apparmor.d/usr.sbin.dhclient,

    #include <local/sbin.dhclient>

    should be changed to

    #include <local/usr.sbin.dhclient>

    -- System Information:
    Debian Release: trixie/sid
    APT prefers unstable-debug
    APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
    Architecture: amd64 (x86_64)

    Kernel: Linux 6.12.22-amd64 (SMP w/16 CPU threads; PREEMPT)
    Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages isc-dhcp-client depends on:
    ii debianutils 5.22
    ii iproute2 6.14.0-3
    ii libc6 2.41-7

    Versions of packages isc-dhcp-client recommends:
    ii isc-dhcp-common 4.4.3-P1-7

    Versions of packages isc-dhcp-client suggests:
    pn avahi-autoipd <none>
    pn isc-dhcp-client-ddns <none>
    pn resolvconf <none>

    -- no debconf information

    --
    Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
    100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
    Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vincent Lefevre@21:1/5 to All on Fri Apr 18 11:40:02 2025
    Control: severity -1 serious

    as this yields a broken configuration if the dhclient files had
    been removed before the upgrade (seen on one of my machines).

    --
    Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
    100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
    Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vincent Lefevre@21:1/5 to intrigeri on Tue Apr 22 13:10:01 2025
    Hi,

    On 2025-04-22 11:52:24 +0200, intrigeri wrote:
    Vincent Lefevre (2025-04-19):
    On 2025-04-18 13:40:01 +0200, intrigeri wrote:
    What dhclient files have been removed before the upgrade?

    /etc/apparmor.d/sbin.dhclient
    /etc/apparmor.d/local/sbin.dhclient

    How were they removed?

    With "rm".

    OK, then FWIW I don't think severity serious is justified: you've
    manually deleted a file (/etc/apparmor.d/local/sbin.dhclient) created
    by maintainer scripts. I'm not the maintainer so this is just my
    personal opinion.

    I disagree. It is the right of the user to remove configuration files,
    as long as this is done in a consistent way. Packages must be able to
    cope with that (re-adding the main file but not the associated local
    one is not correct).

    Can you please describe how the resulting configuration is broken?

    After the upgrade, I just have

    cventin:~> ll /etc/apparmor.d/**/*dhclient*
    -rw-r--r-- 1 root root 3590 2025-04-04 16:49:15 /etc/apparmor.d/usr.sbin.dhclient

    The one under /etc/apparmor.d/local is absent, though /etc/apparmor.d/usr.sbin.dhclient does

    #include <local/sbin.dhclient>

    I think the maintainers will want to know what's the actual impact
    of this.

    I suppose it makes apparmor.service fail to start?

    No, I don't see any error with apparmor.service (and the documentation
    does not suggest that there would be a fatal error for that).

    Anything else?

    The apparmor.d(5) man page says:

    The leading '#' is optional, and the '#include' keyword can be
    followed by an option conditional 'if exists' that specifies profile
    compilation should continue if the specified file or directory is not
    found.

    So, a missing file without "if exists" would stop the compilation of
    the profile. I don't know what this implies in practice.

    --
    Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
    100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
    Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alexander Kurtz@21:1/5 to All on Sat May 3 20:40:02 2025
    Control: tags -1 - moreinfo + patch
    Control: severity -1 serious
    Justification: Causes the apparmor service to crash on fresh Trixie installations

    Hi,

    I think this issue is Severity: serious because if the isc-dhcp-client
    is installed on a *fresh* Trixie installation, the /etc/apparmor.d/local/sbin.dhclient file is never created but is still referenced by the /etc/apparmor.d/usr.sbin.dhclient file, which causes
    the apparmor service to crash. This MR should hopefully fix it:

    https://salsa.debian.org/debian/isc-dhcp/-/merge_requests/16

    I have tested this in a fresh VM for both upgrades and fresh
    installations and everything seems to work as expected.

    Best regards

    Alexander Kurtz

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEE+DNlMSKIDZ1tz4e4KZScQvp1/pEFAmgWXewACgkQKZScQvp1 /pF/Wg//UHacitlf5JV+ncHQxd3ErKWsgBseG2eM53uu84pO+4Gjwd+55Iwp6LoQ CeDt6Yolf2C4TXK80JCe7ZuYTJ7rtdsNoaYQ8JTWsgsHVFQhHEX8rD+XFhO/uDRK HByHRZ35hapDFK8FE2fTjeAQN7wc8VBLY9rNrNJrk0Hp+0aFO0jRh5o0aYq2RRUK Fe7f3b/GKe1dRlQ8Y9DqnFfQV1sGow/Rhj7bV+syBJwUUHxKgKWTpXwO4DUgwlbJ 3qke5dX1oq36AETEuK+kMIZiUwyJYwdCkYqXlJAonbZmvfvpVSUn0aaY9RNxPKum rPmPV4GBNj2euHjfrlZsz7JX/GxnJZODrUKPVXtTz2VyeH/ye8lir3nIC7GiyHta v+YSwaLvv1B459YFZ3G5v77KRl2aaMkmQ/gHHFYT/asfR0091xS1Nsp7zIAinCJi nE3x9c0Fv46vQQQ3qGqdim9htaBm1lwLMTaHKph/7s3RPxkLXqN/5aqxx8eXFl21 1nuGWpXq/TArZbmErUBGJ1CoUnD9yVxijns6FcVgzP/S7LeFJJjx49l9j7UlOBqA 6bXHv8w+RBV4f320a64YlHLo2SpvX3CS7M/oRqOp5obb3KxvvzsIEmktHeD6GOU8 mEhAjTyNSt0MuauNFnuh180wjt5TUnoH8cKLFe+mAwH5XXHUhcM=
    =uAPw
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)