dhcpd: Open a socket for LPF: Permission denied

Bug #1107686 reported by vlotho
82
This bug affects 15 people
Affects Status Importance Assigned to Milestone
dhcp3 (Ubuntu)
Invalid
Undecided
Unassigned
isc-dhcp (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

gilles@gilles-PC:~$ apt-cache policy isc-dhcp-server
isc-dhcp-server:
  Installé : 4.2.4-4ubuntu1
  Candidat : 4.2.4-4ubuntu1
 Table de version :
 *** 4.2.4-4ubuntu1 0
        500 http://fr.archive.ubuntu.com/ubuntu/ raring/main amd64 Packages
        100 /var/lib/dpkg/status
gilles@gilles-PC:~$ lsb_release -rd
Description: Ubuntu Raring Ringtail (development branch)
Release: 13.04

the demon don't start.

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: isc-dhcp-server 4.2.4-4ubuntu1
ProcVersionSignature: Ubuntu 3.8.0-2.6-generic 3.8.0-rc4
Uname: Linux 3.8.0-2-generic x86_64
ApportVersion: 2.8-0ubuntu2
Architecture: amd64
Date: Mon Jan 28 10:14:39 2013
DhServerLeases:

InstallationDate: Installed on 2013-01-12 (15 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130112)
MarkForUpload: True
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
SourcePackage: isc-dhcp
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.dhcp.dhcpd.conf: 2013-01-27T15:52:08.331356

Related branches

Revision history for this message
vlotho (gdalmas) wrote :
Revision history for this message
Stéphane Graber (stgraber) wrote :

Can you try editing /etc/apparmor.d/usr.sbin.dhcpd and add:
"network packet raw,"

Below the current: "network packet packet,"

Then do: /etc/init.d/apparmor reload

And see if it now works as expected (successful start and no more apparmor DENIED in dmesg).

If this works, I'll include the profile change in the next upload.

Revision history for this message
John Johansen (jjohansen) wrote :

The apparmor rule for af family packet needs to be changed, or a new rule needs to be added
  network packet packet,

the denials in the log
Jan 27 16:30:17 gilles-PC kernel: [ 5019.663392] type=1400 audit(1359300617.371:40): apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/dhcpd" pid=19585 comm="dhcpd" family="packet" sock_type="raw" protocol=768

show that raw sockets of the packet family need to be allowed, this can be done with any of the following, listed from most specific to most generic

  network packet raw,
  network packet,
  network,

Revision history for this message
Ivan Borzenkov (ivan1986) wrote :

works whis
network packet raw
i think it's typo

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in isc-dhcp (Ubuntu):
status: New → Confirmed
Revision history for this message
vlotho (gdalmas) wrote :

it's good, it works.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.2.4-5ubuntu1

---------------
isc-dhcp (4.2.4-5ubuntu1) raring; urgency=low

  * Merge from Debian, remaining changes:
    - Apparmor profiles for dhclient and dhcpd.
    - Upstart jobs for isc-dhcp-server, isc-dhcp-server6, isc-dhcp-relay and
      isc-dhcp-relay6. (LP: #944849)
    - Separate default file for isc-dhcp-relay6. (LP: #944849)
    - Apport hook for isc-dhcp-client and isc-dhcp-server.
    - dhclient.conf: Set for IPv6 (dhcp6.*) (LP: #770324)
    - If /etc/ltsp/dhcpd.conf exists, use that instead of /etc/dhcp/dhcpd.conf
    - Drop isc-dhcp-server/new_auth_behavior question from high to medium
    - Create user/group dhcpd (LP: #727837)
    - Create /etc/dhcp/ddns-keys/ for DDNS updates (LP: #341817)
    - Build with extra hardening and use --enable-paranoia to run dhcpd as user
      (LP: #727837)
    - Add IPv6 support to dhclient-script.linux.udeb
    - Wait for /etc/resolv.conf to be writable in dhclient-script.linux.
      (LP: #856984)
    - Sanitize environment in dhclient-script.linux. (LP: #1045986)
    - Don't call 'ip addr flush' as it breaks IPv6 networking. (LP: #1023174)
    - debian/apparmor-profile.dhclient: update to add the new paths used by
      NetworkManager for its conf and leases files; standardized under
      /var/lib/NetworkManager.
    - Remaining Ubuntu patches:
      + dhclient-fix-backoff
      + dhclient-more-debug (LP: #35265)
      + dhclient-safer-timeout (LP: #838968)
      + dhcpd.conf-subnet-examples (LP: #26661)
      + multi-ip-addr-per-if (LP: #717166)
      + onetry_retry_after_initial_success (LP: #974284)
      + revert-next-server
    - Dropped Ubuntu patches:
      + dhclient-onetry-call-clientscript (now in Debian)

  * Add InfiniBand support patches from RedHat.
  * Update dhcpd apparmor profile for LPF. (LP: #1107686)

isc-dhcp (4.2.4-5) unstable; urgency=medium

  * Handle dhclient.conf left behind during a prior lenny->squeeze upgrade,
    upgrade it now to avoid an unnecessary conffile prompt (closes: #698582).
    - Thanks to Gregor Herrmann for the patch.
  * Also, do not copy dhclient.conf from /etc/dhcp3 anymore (closes: #700363).
 -- Stephane Graber <email address hidden> Tue, 26 Feb 2013 17:07:05 -0500

Changed in isc-dhcp (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
intronauta (intronauta77) wrote :

After the last update to "isc-dhcp-server 4.2.4-1ubuntu10.2", my dhcpd stopped working and I had for first time the "Open a socket for LPF: Permission denied" error. I applied the workaround proposed in #2 and dhcpd is working again:

>> adding "network packet raw" to /etc/apparmor.d/usr.sbin.dhcpd
>> sudo /etc/init.d/apparmor reload"

##################

intronauta@Inspiron-N5010:~$ apt-cache policy isc-dhcp-server
isc-dhcp-server:
  Installed: 4.2.4-1ubuntu10.2
  Candidate: 4.2.4-1ubuntu10.2
  Version table:
 *** 4.2.4-1ubuntu10.2 0
        500 http://archive.ubuntu.com/ubuntu/ quantal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     4.2.4-1ubuntu10.1 0
        500 http://archive.ubuntu.com/ubuntu/ quantal-updates/main amd64 Packages
     4.2.4-1ubuntu10 0
        500 http://archive.ubuntu.com/ubuntu/ quantal/main amd64 Packages
intronauta@Inspiron-N5010:~$ lsb_release -rd
Description: Ubuntu 12.10
Release: 12.10

Revision history for this message
Jay R. Wren (evarlast) wrote :

I second the issue with 4.2.4-1ubuntu10.2 as reported by @intronauta

4.2.4-1ubuntu10.2 seems to revert the previous fix.

Revision history for this message
Ricardo de Barros (stealthymarine) wrote :

I also experience this after upgrading the isc-dhcp-server

Apr 23 11:59:04 host328 dhcpd: Open a socket for LPF: Permission denied

Revision history for this message
Ricardo de Barros (stealthymarine) wrote :

The fix in #2 also worked for me:
Apr 23 12:03:52 host328 dhcpd: DHCPDISCOVER from b4:07:f9:07:5f:b9 via wlan0
Apr 23 12:03:53 host328 dhcpd: DHCPOFFER on 10.254.254.4 to b4:07:f9:07:5f:b9 (smart) via wlan0
Apr 23 12:03:53 host328 dhcpd: DHCPREQUEST for 10.254.254.4 (10.254.254.1) from b4:07:f9:07:5f:b9 (smart) via wlan0
Apr 23 12:03:53 host328 dhcpd: DHCPACK on 10.254.254.4 to b4:07:f9:07:5f:b9 (smart) via wlan0

Revision history for this message
Jonathan Sambrook (jonathan-hmmn) wrote :

Same experience as Ricardo here (i.e same problem, and the work around works fine).

Revision history for this message
Luk van den Borne (luk-vandenborne) wrote :

Same problem here. Workaround works.

Revision history for this message
Michael Milne (mmilne68) wrote :

I had the same issue last night and after rechecking I found a update to isc-dhcp-server. This update fixed the error and all clients got addresses. This morning (8 hours later) the issue is back. I've checked apparmor profile and the change is in like the suggestion in the fix. When I try to start isc-dhcp-server I am getting the same error as before
Apr 25 14:40:01 Server kernel: [13779.484237] type=1400 audit(1366857601.345:63): apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/dhcpd" pid=4896 comm="dhcpd" family="packet" sock_type="raw" protocol=768
The only thing is I restarted the server last night before going to bed.

Any ideas

Revision history for this message
Robert E Blair (reblair) wrote :

This issue is not resolved. I too have the problem above. There are a couple of issues related. I see the same behavior as Michael. The system can run fine but a reboot seems to cause this to crop up. I notice that if you do an aa-complain you can coax the server to come back but there is a funny timing problem that you need to wait a considerable time before the last start attempt or it will fail to start even then. One possible factor is that this (and maybe many other) system is used as a dhcp server and my desktop when logged in. It has a fixed address and I have removed network manager because I don't want NM to fuss with the networking, it should remain on and up always.

affects: dhcp3 (Ubuntu) → zentyal
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Revision history for this message
Patricio Carreño Mancilla (patriciologico) wrote :

Ubuntu 10.04

affects: zentyal → dhcp3 (Ubuntu)
Changed in dhcp3 (Ubuntu):
status: New → Confirmed
tags: added: lucid
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dhcp3 (Ubuntu):
status: New → Confirmed
Revision history for this message
dino99 (9d9) wrote :

This version has expired a while ago

Changed in dhcp3 (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.