[175882.466186] audit: type=1400 audit(1503640503.535:62):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=7704 comm="evince"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Same here (17.04)
--
You received this bug notification
@intrigeri - you're right. I'll fix this in the citrain branch and in
2.11.0-2ubuntu14.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction doesn't allow
FWIW current Ubuntu citrain branch seems to apply exactly the same patch
twice for some reason:
debian/patches/adjust-nameservice-for-systemd-resolved.patch
debian/patches/profiles-grant-access-to-systemd-resolved.patch
Not sure what's going on, but anyway we don't apply this patch in Debian
so
Still true for Zesty.
** Tags added: zesty
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved
To
Still present for me
[176007.813051] audit: type=1400 audit(1486720189.738:122):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=14715 comm="EvJobScheduler"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
[179389.232131] audit:
This isn't fixed in AppArmor upstream. As an upstream, we decided
against taking in this policy update until the patches to perform D-Bus
mediation have landed in the upstream kernel. Without those patches,
we'd be granting full access to the D-Bus system bus socket from the
very commonly used
** Changed in: apparmor
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction doesn't allow communication with
This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1
---
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium
* debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
profiles that make use of the nameservice abstraction should be allowed to
This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1
---
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium
* debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
profiles that make use of the nameservice abstraction should be allowed to
** Tags added: aa-policy
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved
To manage notifications
We've decided not to merge this patch in the upstream AppArmor project
at this time because most distros don't have the ability to perform
fine-grained mediation of D-Bus communications and this change would
grant full system bus access to network-facing daemons in those distros.
** Changed in:
This change looks to be working as expected. I've done the manual
verification in the bug description and I've also went through the
desktop/server related portions of
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor.
** Tags removed: verification-needed
** Tags added: verification-done
Hello knz, or anyone else affected,
Accepted apparmor into yakkety-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-4ubuntu5.1 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
@Tyler
comment about the #14 above
i've reported against the 'kernel' the same issue output (but linux
could be the false package; i'm not sure at all)
Bug #1628835
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
+ [ Impact ]
+
+ Processes confined by AppArmor profiles making use of the nameservice
+ AppArmor abstraction are unable to access the systemd-resolved network
+ name resolution service. The nsswitch.conf file shipped in Yakkety puts
+ the nss-resolve plugin to use which
I forgot to mention what brought me to this bug. I am seeing this denial
when running tcpdump in Ubuntu Yakkety:
apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump"
name="/run/dbus/system_bus_socket" pid=25098 comm="tcpdump"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
After
Fix sent upstream for review:
https://lists.ubuntu.com/archives/apparmor/2016-October/010130.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction
17 matches
Mail list logo
