[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
Yeah, this GetDynamicUsers denial is probably unrelated and should/will be addressed in another bug. Thanks for double checking the alias trick! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
I can confirm that the following commands fixes the problem so Ubound can start again: echo 'alias / -> /upper/,' >> /etc/apparmor.d/tunables/alias apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.unbound I noticed that when it starts, another AppArmor-related error message is logged: [ 257.707923] audit: type=1107 audit(1567174888.349:247): pid=976 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=6735 label="/usr/sbin/unbound" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?' However, it does not appear to cause any problems as far as I could tell. Tore -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
That would be a change in apparmor to generally help the live system, and much less an unbound specific issue. Therefore I added a task for apparmor for the people triaging/fixing that to take a look. ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
I use the alias feature in reverse (doh!). That one did the trick: # /etc/apparmor.d/tunables/alias alias / -> /upper/, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
** Tags removed: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
** Changed in: unbound (Ubuntu) Importance: Undecided => Low ** Changed in: unbound (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
** Tags added: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to unbound in Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
** Tags added: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
That does not work, same error message when attempting to restart unbound. The apparmor_parser command results in the following being logged to the system journal: aug. 28 16:08:02 ubuntu audit[6536]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/unbound" pid=6536 comm="apparmor_parser" aug. 28 16:08:02 ubuntu kernel: audit: type=1400 audit(1567008482.755:240): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/unbound" pid=6536 comm="apparmor_parser" Also, the /etc/apparmor.d/force-complain/usr.sbin.unbound does not exist, so the rm -f command is a no-op. Tore -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
As root: echo 'alias /upper/ -> /,' >> /etc/apparmor.d/tunables/alias rm -f /etc/apparmor.d/force-complain/usr.sbin.unbound apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.unbound service unbound restart Then you should hopefully see no more Apparmor denials. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
Sure, I can test if you tell me how, ideally spoon-fed. Like I said, I have no experience with AppArmor so I don't know how to install alias rules. By the way, I finished the my blog post, of the six DNSSEC validators I tested it was only Unbound that didn't work in the live environment (but of course it might be that none of the others are using AppArmor): https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local- dnssec-validators.html Tore -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
Would you mind testing the alias rule I suggested in comment #3? If it works, it would in theory fix not only Unbound but every applications shipping with an Apparmor profile. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841364] Re: AppArmor breaks the default Unbound installation in a live session
** Summary changed: - AppArmor breaks the default Unbound installation + AppArmor breaks the default Unbound installation in a live session -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841364 Title: AppArmor breaks the default Unbound installation in a live session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1841364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
