apparmor denies dhclient socket

[n0x0n]

Updated from PVE 8-latest to PVE 9.1.1 yesterday, kernel 6.17.2-1-pve. Starting immediately after the upgrade, I get lots of apparmor messages denying dhclient access to a socket:

2025-11-22T09:54:12+01:00 pve2 kernel: audit: type=1400 audit(1763801652.257:138): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/{,usr/}sbin/dhclient" pid=1060 comm="dhclient" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
2025-11-22T09:54:12+01:00 pve2 kernel: audit: type=1400 audit(1763801652.257:139): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/{,usr/}sbin/dhclient" pid=1060 comm="dhclient" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
2025-11-22T09:54:12+01:00 pve2 kernel: audit: type=1400 audit(1763801652.291:140): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/{,usr/}sbin/dhclient" pid=1060 comm="dhclient" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none

System seems to work fine, but I think this shouldn't happen.

 

[n0x0n]

Temporary workaround to get rid of the noise: Add the following to /etc/apparmor.d/local/usr.sbin.dhclient

# local addition for dhclient
# permits creation and usage of UNIX domain datagram sockets
network unix dgram,

Don't forget to systemctl reload apparmor afterwards.

You probably should not do this on a production system.

 

[fiona]

Hi,
did you already try with using abi <abi/3.0> to the top-level of the profile as suggested in the known issues: https://pve.proxmox.com/wiki/Roadmap#9.0-known-issues ?