[Touch-packages] [Bug 2023342] Re: apparmor needs read access to no-stub-resolv.conf
Hi Chris, thanks for the report.
In this case, reporting to Debian probably wouldn't help much, they're
less active than they used to be.
If you're motivated and interested enough, a merge request on
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/nameservice
would be fantastic. It'd probably speed the process along nicely.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2023342
Title:
apparmor needs read access to no-stub-resolv.conf
Status in apparmor package in Ubuntu:
New
Bug description:
Description: Ubuntu 22.04.2 LTS
Release: 22.04
apt-cache policy apparmor
apparmor:
Installed: 3.0.4-2ubuntu2.2
Candidate: 3.0.4-2ubuntu2.2
apparmor 3.0.4-2ubuntu2.2 amd64
Due to issues with systemd-resolved failing to resolve hosts after a random
amount of time, I have
/etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf
Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow
read access to the above path, so armored daemons like chrony fail to
resolve hostnames when used in their configuration files:
type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED"
operation="open" profile="/usr/sbin/chronyd"
name="/run/NetworkManager/no-stub-resolv.conf" pid=191892
comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118
ouid=0^]FSUID="_chrony" OUID="root"
A generalized (non-chrony specific) workaround is:
mkdir /etc/apparmor.d/abstractions/nameservice.d
echo @{run}/NetworkManager/no-stub-resolv.conf r, >
/etc/apparmor.d/abstractions/nameservice.d/no-stub
systemctl reload apparmor.service
It seems to be an omission to not have '@{run}/NetworkManager/no-stub-
resolv.conf r,' in the default abstractions/nameservice file.
Thanks for your consideration!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2023342/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2023342] Re: apparmor needs read access to no-stub-resolv.conf
As a first-time bug reporter, would it be more appropriate to file a
Debian bug report?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2023342
Title:
apparmor needs read access to no-stub-resolv.conf
Status in apparmor package in Ubuntu:
New
Bug description:
Description: Ubuntu 22.04.2 LTS
Release: 22.04
apt-cache policy apparmor
apparmor:
Installed: 3.0.4-2ubuntu2.2
Candidate: 3.0.4-2ubuntu2.2
apparmor 3.0.4-2ubuntu2.2 amd64
Due to issues with systemd-resolved failing to resolve hosts after a random
amount of time, I have
/etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf
Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow
read access to the above path, so armored daemons like chrony fail to
resolve hostnames when used in their configuration files:
type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED"
operation="open" profile="/usr/sbin/chronyd"
name="/run/NetworkManager/no-stub-resolv.conf" pid=191892
comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118
ouid=0^]FSUID="_chrony" OUID="root"
A generalized (non-chrony specific) workaround is:
mkdir /etc/apparmor.d/abstractions/nameservice.d
echo @{run}/NetworkManager/no-stub-resolv.conf r, >
/etc/apparmor.d/abstractions/nameservice.d/no-stub
systemctl reload apparmor.service
It seems to be an omission to not have '@{run}/NetworkManager/no-stub-
resolv.conf r,' in the default abstractions/nameservice file.
Thanks for your consideration!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2023342/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
