Public bug reported:
Description:Ubuntu 22.04.2 LTS
Release:22.04
apt-cache policy apparmor
apparmor:
Installed: 3.0.4-2ubuntu2.2
Candidate: 3.0.4-2ubuntu2.2
apparmor 3.0.4-2ubuntu2.2 amd64
Due to issues with systemd-resolved failing to resolve hosts after a random
amount of time, I have
/etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf
Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow
read access to the above path, so armored daemons like chrony fail to
resolve hostnames when used in their configuration files:
type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED"
operation="open" profile="/usr/sbin/chronyd"
name="/run/NetworkManager/no-stub-resolv.conf" pid=191892
comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118
ouid=0^]FSUID="_chrony" OUID="root"
A generalized (non-chrony specific) workaround is:
mkdir /etc/apparmor.d/abstractions/nameservice.d
echo @{run}/NetworkManager/no-stub-resolv.conf r, >
/etc/apparmor.d/abstractions/nameservice.d/no-stub
systemctl reload apparmor.service
It seems to be an omission to not have '@{run}/NetworkManager/no-stub-
resolv.conf r,' in the default abstractions/nameservice file.
Thanks for your consideration!
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2023342
Title:
apparmor needs read access to no-stub-resolv.conf
Status in apparmor package in Ubuntu:
New
Bug description:
Description: Ubuntu 22.04.2 LTS
Release: 22.04
apt-cache policy apparmor
apparmor:
Installed: 3.0.4-2ubuntu2.2
Candidate: 3.0.4-2ubuntu2.2
apparmor 3.0.4-2ubuntu2.2 amd64
Due to issues with systemd-resolved failing to resolve hosts after a random
amount of time, I have
/etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf
Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow
read access to the above path, so armored daemons like chrony fail to
resolve hostnames when used in their configuration files:
type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED"
operation="open" profile="/usr/sbin/chronyd"
name="/run/NetworkManager/no-stub-resolv.conf" pid=191892
comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118
ouid=0^]FSUID="_chrony" OUID="root"
A generalized (non-chrony specific) workaround is:
mkdir /etc/apparmor.d/abstractions/nameservice.d
echo @{run}/NetworkManager/no-stub-resolv.conf r, >
/etc/apparmor.d/abstractions/nameservice.d/no-stub
systemctl reload apparmor.service
It seems to be an omission to not have '@{run}/NetworkManager/no-stub-
resolv.conf r,' in the default abstractions/nameservice file.
Thanks for your consideration!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2023342/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp