The fix was landed in the apparmor package and no change was needed to
the ntp or tor packages in the end. If I'm wrong, please reopen those

** Changed in: ntp (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: ntp (Ubuntu)
       Status: Fix Released => Invalid

** Changed in: tor (Ubuntu)
       Status: Confirmed => Invalid

You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs

  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
Status in tor package in Ubuntu:
Status in apparmor source package in Xenial:
  Fix Released

Bug description:

   * The base abstraction in xenial  misses some ways programs can push 
     logs to journald

   * Backport the fix form Artful to:
     1. get rid of the Denies making logs less readable
     2. get users to see the actual log entries will help to unbreak many 
        other cases

  [Test Case]

   * Install one of the affected packages (in a xenial container is enough)
   * For the case of ntp just install and then run
     systemctl restart ntp
   * in Dmesg you'll see apparmor Denies like
   * Each case is different, in this (ntp) case also some log entries are 
     missed due to the block
   * After installing the fixed package there is no Deny anymore and 
     programs are able to correctly log.

  [Regression Potential]

   * The change is in ubuntu as-is since artful and we are only opening up, 
     but not limiting the access - so there should be nothing that is denied 
     after the update that was not before.
     Vice versa there could be changes due to things now working correcrly, 
     but I'd not see that as a regression.

  [Other Info]
   * affects many packages ntp, tor - I even heard examples of mysql.
     But the fix is in apparmor through base abstraction


  Using tor with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:

  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 

  There are two AppArmor denials in the kernel log:

  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_<var-lib-lxd>" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000

  Mar  6 15:53:12 zesty-test kernel: [  102.702418] audit: type=1400
  audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
  namespace="root//lxd-zesty_<var-lib-lxd>" profile="system_tor"
  name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
  denied_mask="m" fsuid=100000 ouid=100000

  Workaround: add the following two lines to /etc/apparmor.d/system_tor:

  /usr/bin/tor m,
  /run/systemd/journal/stdout rw,

  I couldn't remember how to that that profile reloaded, so I rebooted,
  and after the reboot tor does start up successfully. "systemctl
  tor@default" reports it as running.

  I haven't checked to see if only one or other rule is actually

  Importance -> High since this bug makes the package unusable in its
  default configuration on Zesty. Since the AppArmor profile comes from
  Debian's, this should probably be fixed in Debian.

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to