[Kea-users] AppArmor violation using Kea on Debian 12

Michael De Roover isc at nixmagic.com
Tue Oct 22 22:45:10 UTC 2024 

Attached is a documentation entry that may be useful. It describes some notes that I 
made at the time of this particular VM's deployment, related to various capabilities.

The VM in question was made at 2024-05-10, which both my Hyper-V manager and /etc/
motd entries confirm. Kea itself meanwhile was installed on 2024-10-21, i.e. yesterday 
(more or less). AppArmor itself may have been present since then. I don't know if its 
profiles get updated automatically. Until yesterday, there were no text changes in these 
files on my end.

For the group assignment, the netdev group immediately came to mind. The _kea user 
(UID 102) is not in it, while my regular user (vim, UID 1000) is in this group. But in 
retrospect, that might have more to do with interface activation than it does with 
privileged ports. Is there a capability to run certain processes / binaries / files / UIDs on 
privileged ports? What are the security implications of such a thing? In the VM 
environment, should I care whether it runs as root or anything else?

This is a reference I used for the system groups. The daemon group seems useful, but that 
only seems to refer to files that the daemon has control over. My guess is that the _kea 
user/group pair implies that this is done in a more complex manner than this group 
targets.
https://wiki.debian.org/SystemGroups[1]

-- 
Met vriendelijke groet,
Michael De Roover

--------
[1] https://wiki.debian.org/SystemGroups
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20241023/a9f868d9/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2024-10-23 - Kea deployment.pdf
Type: application/pdf
Size: 45897 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20241023/a9f868d9/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kea-dhcp4.service
Type: text/x-systemd-unit
Size: 183 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20241023/a9f868d9/attachment-0001.bin>

More information about the Kea-users mailing list