Gábor, systemd is well-meaning in providing namespacing features so the
thousands of daemons that are in the world don't have to re-implement
something similar. But of course the kernel hook points used by AppArmor
don't provide sufficient information to know what pathname to
reconstruct when the
Same problem with powerdns, I can't run it with apparmor profile,
because it complains:
operation="sendmsg" info="Failed name lookup - disconnected path"
error=-13 profile="/usr/sbin/pdns_server" name="run/systemd/journal/dev-
log" pid=17236 comm="pdns_server" requested_mask="w" denied_mask="w"
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: rsyslog (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
possibly. There isn't actually enough information in that bug to be sure
if it is an actual namespacing issue or it is a separate bug to do with
unix domain sockets.
Unfortunately the workaround of attach_disconnect is still required to
deal with these issues.
--
You received this bug
Actually the dovecot profiles are in apparmor and not dovecot source
packages - so it would be an apparmor task then.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1373070
Hi,
I think bug 1594202 is another data point for this:
Jun 20 01:49:24 omicron kernel: [ 962.491873] audit: type=1400
audit(1466380164.941:90): apparmor="ALLOWED" operation="sendmsg"
info="Failed name lookup - disconnected path" error=-13
profile="/usr/lib/dovecot/log"
Correct.
There are actually several ways to get disconnected paths and this
specific one is being caused by the new file ns. The proper fix for this
is delegating access to the object that would not normally be
accessible, however delegation is not available in the current releases
of apparmor
Okay, so, I had more time to dig a bit into this and, after some
analysis, I got:
Errors being reproduced:
[1668392.078137] audit: type=1400 audit(1459311786.129:1375455):
apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/sbin/dnsmasq"
Though,
For comments:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373070/comments/7
If you remove /dev/log rwx from /etc/apparmor.d/usr.sbin.rsyslog :
Using kernel Ubuntu-3.13.x DOES NOT show any DENIALS (Ubuntu-3.16,
Ubuntu-3.19 and Ubuntu-4.2 HWE kernels shows).
Using upstream
Yep, you're right. It was getting /dev/log from abstractions/base for
write only. My bad.
Though,
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373070/comments/6
Shows same issue.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
As expected, that's a totally different issue.
Please add
/dev/log r,
to your rsyslogd profile.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1373070
Title:
full
I am able to reproduce this just by having apparmor.d profile
usr.sbin.rsyslogd removed from disable/ directory.
[ 674.165128] audit: type=1400 audit(1456491880.616:134): apparmor="DENIED"
operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3639
comm="dhclient"
Pavel, Déziel,
Im reproducing the same issue with dnsmasq + openstack + neutron:
Feb 16 18:35:01 juju-inaddy-machine-12 kernel: [ 4357.680900] audit:
type=1400 audit(1455647701.796:121): apparmor="DENIED"
operation="sendmsg" info="Failed name lookup - disconnected path"
error=-13
** Also affects: rsyslog (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1373070
Title:
full fix for disconnected path
I'm affected by this bug too at Trusty + Vivid HWE
# lsb_release -rd
Description:Ubuntu 14.04.3 LTS
Release:14.04
# uname -a
Linux amanda 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:25:23 UTC
2015 i686 i686 i686 GNU/Linux
# dpkg -l | grep linux-image-generic
ii
To add one more data point, my Trusty server using the Utopic HWE kernel
also exhibits the problem:
May 21 12:27:28 xeon kernel: [95104.918686] audit: type=1400
audit(1432225648.230:57): apparmor=DENIED operation=sendmsg
info=Failed name lookup - disconnected path error=-13
This bug was fixed in the package cups - 1.7.5-3ubuntu1
---
cups (1.7.5-3ubuntu1) utopic; urgency=medium
* debian/local/apparmor-profile:
- fix peer on signal rule to use /usr/sbin/cupsd//third_party
(LP: #1376611)
- temporarily use attach_disconnected to work around
I'm going to need to add attach_disconnected to the cups profile as a
temporary workaround. When this bug is fixed, we need to undo that.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
** Changed in: cups (Ubuntu)
Status: New = In Progress
** Changed in: cups (Ubuntu)
Importance: Undecided = High
** Changed in: cups (Ubuntu)
Assignee: (unassigned) = Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Ubuntu
Touch
19 matches
Mail list logo