[Touch-packages] [Bug 2023342] Re: apparmor needs read access to no-stub-resolv.conf

2023-06-22 Thread Chris Schanzle 
As a first-time bug reporter, would it be more appropriate to file a
Debian bug report?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2023342

Title:
  apparmor needs read access to no-stub-resolv.conf

Status in apparmor package in Ubuntu:
  New

Bug description:
  Description:  Ubuntu 22.04.2 LTS
  Release:  22.04

  apt-cache policy apparmor
  apparmor:
Installed: 3.0.4-2ubuntu2.2
Candidate: 3.0.4-2ubuntu2.2
  apparmor 3.0.4-2ubuntu2.2 amd64

  
  Due to issues with systemd-resolved failing to resolve hosts after a random 
amount of time, I have

  /etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf

  Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow
  read access to the above path, so armored daemons like chrony fail to
  resolve hostnames when used in their configuration files:

  type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED"
  operation="open" profile="/usr/sbin/chronyd"
  name="/run/NetworkManager/no-stub-resolv.conf" pid=191892
  comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118
  ouid=0^]FSUID="_chrony" OUID="root"

  A generalized (non-chrony specific) workaround is:

  mkdir /etc/apparmor.d/abstractions/nameservice.d
  echo @{run}/NetworkManager/no-stub-resolv.conf r, > 
/etc/apparmor.d/abstractions/nameservice.d/no-stub
  systemctl reload apparmor.service

  It seems to be an omission to not have '@{run}/NetworkManager/no-stub-
  resolv.conf r,' in the default abstractions/nameservice file.

  Thanks for your consideration!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2023342/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2023342] [NEW] apparmor needs read access to no-stub-resolv.conf

2023-06-08 Thread Chris Schanzle 
Public bug reported:

Description:Ubuntu 22.04.2 LTS
Release:22.04

apt-cache policy apparmor
apparmor:
  Installed: 3.0.4-2ubuntu2.2
  Candidate: 3.0.4-2ubuntu2.2
apparmor 3.0.4-2ubuntu2.2 amd64


Due to issues with systemd-resolved failing to resolve hosts after a random 
amount of time, I have

/etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf

Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow
read access to the above path, so armored daemons like chrony fail to
resolve hostnames when used in their configuration files:

type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED"
operation="open" profile="/usr/sbin/chronyd"
name="/run/NetworkManager/no-stub-resolv.conf" pid=191892
comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118
ouid=0^]FSUID="_chrony" OUID="root"

A generalized (non-chrony specific) workaround is:

mkdir /etc/apparmor.d/abstractions/nameservice.d
echo @{run}/NetworkManager/no-stub-resolv.conf r, > 
/etc/apparmor.d/abstractions/nameservice.d/no-stub
systemctl reload apparmor.service

It seems to be an omission to not have '@{run}/NetworkManager/no-stub-
resolv.conf r,' in the default abstractions/nameservice file.

Thanks for your consideration!

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2023342

Title:
  apparmor needs read access to no-stub-resolv.conf

Status in apparmor package in Ubuntu:
  New

Bug description:
  Description:  Ubuntu 22.04.2 LTS
  Release:  22.04

  apt-cache policy apparmor
  apparmor:
Installed: 3.0.4-2ubuntu2.2
Candidate: 3.0.4-2ubuntu2.2
  apparmor 3.0.4-2ubuntu2.2 amd64

  
  Due to issues with systemd-resolved failing to resolve hosts after a random 
amount of time, I have

  /etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf

  Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow
  read access to the above path, so armored daemons like chrony fail to
  resolve hostnames when used in their configuration files:

  type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED"
  operation="open" profile="/usr/sbin/chronyd"
  name="/run/NetworkManager/no-stub-resolv.conf" pid=191892
  comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118
  ouid=0^]FSUID="_chrony" OUID="root"

  A generalized (non-chrony specific) workaround is:

  mkdir /etc/apparmor.d/abstractions/nameservice.d
  echo @{run}/NetworkManager/no-stub-resolv.conf r, > 
/etc/apparmor.d/abstractions/nameservice.d/no-stub
  systemctl reload apparmor.service

  It seems to be an omission to not have '@{run}/NetworkManager/no-stub-
  resolv.conf r,' in the default abstractions/nameservice file.

  Thanks for your consideration!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2023342/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp