Bug#813835: abstractions/nameservice: does not allow NetworkManager without resolvconf
Hi,
Simon McVittie wrote (05 Feb 2016 17:50:25 GMT) :
> I would like to propose this patch:
> --- /etc/apparmor.d/abstractions/nameservice 2016-02-02 13:49:52.929534484
> +
> +++ /home/smcv/tmp/nameservice2016-02-05 17:34:58.929681171 +
> @@ -35,8 +35,9 @@
>/etc/resolv.confr,
># on systems using resolvconf, /etc/resolv.conf is a symlink to
># /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
> - # /etc/resolvconf/run/resolv.conf
> - /{,var/}run/resolvconf/resolv.conf r,
> + # /etc/resolvconf/run/resolv.conf. Similarly, if NetworkManager is used
> + # without resolvconf, /etc/resolv.conf is a symlink to its own resolv.conf.
> + /{,var/}run/{resolvconf,NetworkManager}/resolv.conf r,
>/etc/resolvconf/run/resolv.conf r,
Cool, thanks! I'm going to rebase it on top of current upstream head,
and propose it there.
If it's not too much of a burden for you, don't hesitate to propose
such patches upstream directly in the future :)
> For a bit of future-proofing, you might also want to allow systemd/resolve
> as a third option in the {} group (see systemd-resolved(8) for details).
It seems that we have it upstream since r3328:
https://bazaar.launchpad.net/~apparmor-dev/apparmor/master/annotate/head:/profiles/apparmor.d/abstractions/nameservice
Cheers,
--
intrigeri
Bug#813835: abstractions/nameservice: does not allow NetworkManager without resolvconf
I just turned on apparmor and had the same problem. +1 for Simon's solution. Diane
Bug#813835: abstractions/nameservice: does not allow NetworkManager without resolvconf
Package: apparmor
Version: 2.10-3
Severity: normal
Tags: upstream patch
On systems with NetworkManager but no resolvconf, /etc/resolv.conf
is a symlink to /var/run/NetworkManager/resolv.conf:
lrwxrwxrwx 1 root root 35 Feb 5 17:07 /etc/resolv.conf ->
/var/run/NetworkManager/resolv.conf
leading to denials like this:
Feb 05 17:20:09 archetype kernel: audit: type=1400 audit(1454692809.391:306):
apparmor="DENIED" operation="open" profile="/usr/bin/freshclam"
name="/run/NetworkManager/resolv.conf" pid=1032 comm="freshclam"
requested_mask="r" denied_mask="r" fsuid=124 ouid=0
I would like to propose this patch:
--- /etc/apparmor.d/abstractions/nameservice2016-02-02 13:49:52.929534484
+
+++ /home/smcv/tmp/nameservice 2016-02-05 17:34:58.929681171 +
@@ -35,8 +35,9 @@
/etc/resolv.confr,
# on systems using resolvconf, /etc/resolv.conf is a symlink to
# /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
- # /etc/resolvconf/run/resolv.conf
- /{,var/}run/resolvconf/resolv.conf r,
+ # /etc/resolvconf/run/resolv.conf. Similarly, if NetworkManager is used
+ # without resolvconf, /etc/resolv.conf is a symlink to its own resolv.conf.
+ /{,var/}run/{resolvconf,NetworkManager}/resolv.conf r,
/etc/resolvconf/run/resolv.conf r,
/etc/samba/lmhosts r,
For a bit of future-proofing, you might also want to allow systemd/resolve
as a third option in the {} group (see systemd-resolved(8) for details).
Regards,
S
