This bug was fixed in the package apparmor - 2.12-4ubuntu1
---
apparmor (2.12-4ubuntu1) bionic; urgency=medium
[ Tyler Hicks ]
* Merge from Debian to get gbp-pq related packaging improvements. Thanks to
intrigeri for making those improvements! Remaining Ubuntu changes:
- debian/gbp.conf: Use ubuntu/master as the debian-branch
- Update package maintainer to be Ubuntu Developers in the control file
- Call handle_system_policy_package_updates in apparmor.init.
This is needed for snappy and system-images. Note that this prevents
using a remove /var.
- Apply Ubuntu-specific patches
+ parser-include-usr-share-apparmor.patch
+ profiles-grant-access-to-systemd-resolved.patch
+ add-chromium-browser.patch
- Install Ubuntu chromium-browser profile and abstraction
- Feature pinning is not used in Ubuntu
[ intrigeri ]
* Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
the Ubuntu packaging is maintained.
apparmor (2.12-4) unstable; urgency=medium
* Migrate patch handling to gbp-pq (Closes: #888244).
* Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
- upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
new patch, properly identify empty ouid/fsuid fields in logs.
- upstream-commit-130958a-allow-shell-helper-read-locale.patch:
new patch, allow the shell helper regression test program read
the locale.
-- Tyler Hicks Mon, 19 Mar 2018 16:24:57 +
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1751402
Title:
abstraction/nameservice should include allow access to
/var/lib/sss/mc/initgroups
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
From
https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/comments/4:
[2794367.925181] apparmor="DENIED" operation="open"
profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111
comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
The unbound AA profile includes abstractions/nameservice which already
has some rules for files under /var/lib/sss/mc. I think that adding
"/var/lib/sss/mc/initgroups r" to abstractions/nameservice would make
sense:
$ diff -Naur abstractions/nameservice.orig abstractions/nameservice
--- abstractions/nameservice.orig 2018-02-24 02:19:24.310884300 +
+++ abstractions/nameservice 2018-02-24 02:20:10.578785312 +
@@ -30,6 +30,7 @@
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
/var/lib/sss/mc/passwd r,
+ /var/lib/sss/mc/initgroups r,
/var/lib/sss/pipes/nss rw,
/etc/resolv.confr,
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1751402/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
