Public bug reported:
When the squid apparmor profile is enabled, two types of apparmor errors
appear in the kernel logs:
audit: type=1400 audit(1537265313.920:230): apparmor="DENIED"
operation="capable" profile="/usr/sbin/squid" pid=2460 comm="squid"
capability=12 capname="net_admin"
and
audit: type=1400 audit(1537596453.254:301): apparmor="DENIED"
operation="connect" info="Failed name lookup - disconnected path"
error=-13 profile="/usr/sbin/squid" name="run/dbus/system_bus_socket"
pid=24740 comm="squid" requested_mask="wr" denied_mask="wr" fsuid=0
ouid=0
These can be resolved via these changes to the apparmor profile:
diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
index 07a9642ab..df3a9a38f 100644
--- a/debian/usr.sbin.squid
+++ b/debian/usr.sbin.squid
@@ -3,7 +3,7 @@
# vim:syntax=apparmor
#include <tunables/global>
-/usr/sbin/squid {
+/usr/sbin/squid flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/kerberosclient>
#include <abstractions/nameservice>
@@ -18,6 +18,7 @@
# alternatively include the <abstractions/ssl_keys> abstraction, which
# gives read access to the entire contents of /etc/ssl
+ capability net_admin,
capability net_raw,
capability setuid,
capability setgid,
** Affects: squid (Ubuntu)
Importance: Low
Status: Triaged
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to squid in Ubuntu.
https://bugs.launchpad.net/bugs/1796189
Title:
apparmor DENIED errors
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1796189/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
