This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.9
apparmor (2.10.95-0ubuntu2.9) xenial; urgency=medium
* debian/patches/base-journald-updates.patch: update base abstraction
for additional journald sockets (LP: #1670408)
Backport from 2.11.0-2ubuntu5 by Jamie Strandboge <ja...@ubuntu.com>
-- Christian Ehrhardt <christian.ehrha...@canonical.com> Tue, 20 Feb
2018 16:04:02 +0100
** Changed in: apparmor (Ubuntu Xenial)
Status: Fix Committed => Fix Released
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
apparmor base abstraction needs backport of rev 3658 to fix several
denies (tor, ntp, ...)
Status in apparmor package in Ubuntu:
Status in ntp package in Ubuntu:
Status in tor package in Ubuntu:
Status in apparmor source package in Xenial:
* The base abstraction in xenial misses some ways programs can push
logs to journald
* Backport the fix form Artful to:
1. get rid of the Denies making logs less readable
2. get users to see the actual log entries will help to unbreak many
* Install one of the affected packages (in a xenial container is enough)
* For the case of ntp just install and then run
systemctl restart ntp
* in Dmesg you'll see apparmor Denies like
* Each case is different, in this (ntp) case also some log entries are
missed due to the block
* After installing the fixed package there is no Deny anymore and
programs are able to correctly log.
* The change is in ubuntu as-is since artful and we are only opening up,
but not limiting the access - so there should be nothing that is denied
after the update that was not before.
Vice versa there could be changes due to things now working correcrly,
but I'd not see that as a regression.
* affects many packages ntp, tor - I even heard examples of mysql.
But the fix is in apparmor through base abstraction
Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
fails to start after installing the tor package. "systemctl status
Mar 06 16:04:00 zesty systemd: firstname.lastname@example.org: Main process exited,
Mar 06 16:04:00 zesty systemd: Failed to start Anonymizing overlay network
Mar 06 16:04:00 zesty systemd: email@example.com: Unit entered failed
Mar 06 16:04:00 zesty systemd: firstname.lastname@example.org: Failed with result
There are two AppArmor denials in the kernel log:
Mar 6 15:53:12 zesty-test kernel: [ 102.699647] audit: type=1400
audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
name="/run/systemd/journal/stdout" pid=3520 comm="tor"
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
Mar 6 15:53:12 zesty-test kernel: [ 102.702418] audit: type=1400
audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
denied_mask="m" fsuid=100000 ouid=100000
Workaround: add the following two lines to /etc/apparmor.d/system_tor:
I couldn't remember how to that that profile reloaded, so I rebooted,
and after the reboot tor does start up successfully. "systemctl
tor@default" reports it as running.
I haven't checked to see if only one or other rule is actually
Importance -> High since this bug makes the package unusable in its
default configuration on Zesty. Since the AppArmor profile comes from
Debian's 0.2.9.9-1, this should probably be fixed in Debian.
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : email@example.com
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp