[Kea-users] AppArmor violation using Kea on Debian 12

Michael De Roover isc at nixmagic.com
Mon Oct 21 17:42:26 UTC 2024 

Hello everyone,

Recently I tried to set up Kea for DHCP4 on a small Hyper-V internal network using Debian 
12 on my guest. The network range is 192.168.15.0/24 and the IP address of the DHCP 
server is 192.168.15.2.


I have attempted to install Kea using `apt install kea` and disabling the kea-dhcp-ddns-
server service. Instead, I will use a systemd unit of my own against kea-dhcp4 running 
under the _kea user. So far so good.


When I attempted to start Kea as either _kea or root, it gave me the error below.
Unable to use interprocess sync lockfile (Permission denied): /var/run/kea/logger_lockfile


It turns out that this is a limitation imposed by AppArmor. When looking at the output of 
`journalctl | tail`, I see the following error message.
Oct 21 16:10:32 dhcp audit[109415]: AVC apparmor="DENIED" operation="open" 
profile="kea-dhcp4" name="/run/kea/logger_lockfile" pid=109415 comm="kea-dhcp4" 
requested_mask="wrc" denied_mask="wrc" fsuid=102 ouid=102


For now I have simply moved the /etc/apparmor.d/usr.sbin.kea-dhcp4 file out of there, 
which seems to have solved the issue. I still do need to run the program as root however, it 
can't seem to bind to 67/udp as _kea.


Considering that I'm on a limited schedule, and am already running this in Hyper-V using 
an internal switch, security is not my primary concern at this moment. But I don't think it's 
a great idea to keep this "hotfix" of mine (foregoing AppArmor for Kea altogether) left at 
rest for too long either.


Below is the documentation I've used so far.
https://kea.readthedocs.io/en/latest/arm/config.html#json-configuration[1]
https://datatracker.ietf.org/doc/html/rfc7159[2]
https://groups.google.com/g/linux.debian.bugs.dist/c/EyXCDu5yL4o?pli=1[3]
https://wiki.debian.org/AppArmor/HowToUse[4]
https://blog.frehi.be/2023/12/25/protecting-your-linux-server-against-security-exploits-with-apparmor/[5]
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#file-permissions[6]

-- 
Met vriendelijke groet,
Michael De Roover

--------
[1] https://kea.readthedocs.io/en/latest/arm/config.html#json-configuration
[2] https://datatracker.ietf.org/doc/html/rfc7159
[3] https://groups.google.com/g/linux.debian.bugs.dist/c/EyXCDu5yL4o?pli=1
[4] https://wiki.debian.org/AppArmor/HowToUse
[5] https://blog.frehi.be/2023/12/25/protecting-your-linux-server-against-security-exploits-with-apparmor/
[6] https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#file-permissions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20241021/0d403fec/attachment.htm>

More information about the Kea-users mailing list