Public bug reported: Several critical systems are broken with the default Ubuntu 17.10 apparmor profile when booting in kernel 4.14, eg DHCP/networking and mysql-server.
I got it working by applying the attached patch from the /etc directory. The patch is mostly based on the patch provided in comment #34 in the upstream bug at https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=877581. I had to remove the sections for the files that Ubuntu doesn't have (such as tor, tor.browser, haveged and libvirt) and to get DHCP to work, I also had to add 'w' permission to /usr/lib/NetworkManager/nm-dhcp-helper to avoid this syslog message: apparmor="DENIED" operation="create" profile="/usr/lib/NetworkManager /nm-dhcp-helper" pid=3876 comm="nm-dhcp-helper" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: apparmor 2.11.0-2ubuntu17 ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature' Uname: Linux 4.14.0-rc5-generic x86_64 ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Oct 18 12:59:38 2017 InstallationDate: Installed on 2017-08-16 (62 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) JournalErrors: Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. Users in the 'systemd-journal' group can see all messages. Pass -q to turn off this notice. No journal files were opened due to insufficient permissions. ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-4.14.0-rc5-generic root=UUID=0eb64261-6dff-464a-8373-596794c1fafe ro rootflags=subvol=@ quiet splash acpi_rev_override=5 scsi_mod.use_blk_mq=1 vt.handoff=7 SourcePackage: apparmor UpgradeStatus: Upgraded to artful on 2017-08-17 (62 days ago) modified.conffile..etc.apparmor.d.abstractions.nameservice: [modified] mtime.conffile..etc.apparmor.d.abstractions.nameservice: 2017-10-18T12:17:08.648386 ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug artful wayland-session ** Patch added: "apparmor-for-4.14.diff" https://bugs.launchpad.net/bugs/1724450/+attachment/4974449/+files/apparmor-for-4.14.diff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1724450 Title: apparmor is broken for kernel 4.14 Status in apparmor package in Ubuntu: New Bug description: Several critical systems are broken with the default Ubuntu 17.10 apparmor profile when booting in kernel 4.14, eg DHCP/networking and mysql-server. I got it working by applying the attached patch from the /etc directory. The patch is mostly based on the patch provided in comment #34 in the upstream bug at https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=877581. I had to remove the sections for the files that Ubuntu doesn't have (such as tor, tor.browser, haveged and libvirt) and to get DHCP to work, I also had to add 'w' permission to /usr/lib/NetworkManager/nm-dhcp-helper to avoid this syslog message: apparmor="DENIED" operation="create" profile="/usr/lib/NetworkManager /nm-dhcp-helper" pid=3876 comm="nm-dhcp-helper" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: apparmor 2.11.0-2ubuntu17 ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature' Uname: Linux 4.14.0-rc5-generic x86_64 ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Oct 18 12:59:38 2017 InstallationDate: Installed on 2017-08-16 (62 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) JournalErrors: Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. Users in the 'systemd-journal' group can see all messages. Pass -q to turn off this notice. No journal files were opened due to insufficient permissions. ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-4.14.0-rc5-generic root=UUID=0eb64261-6dff-464a-8373-596794c1fafe ro rootflags=subvol=@ quiet splash acpi_rev_override=5 scsi_mod.use_blk_mq=1 vt.handoff=7 SourcePackage: apparmor UpgradeStatus: Upgraded to artful on 2017-08-17 (62 days ago) modified.conffile..etc.apparmor.d.abstractions.nameservice: [modified] mtime.conffile..etc.apparmor.d.abstractions.nameservice: 2017-10-18T12:17:08.648386 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1724450/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
