This bug was fixed in the package apparmor - 2.13.3-7ubuntu4 --------------- apparmor (2.13.3-7ubuntu4) focal; urgency=medium
* debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it (LP: #1871148) * libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets and DBus APIs. Patch partially based on work by Simon Deziel. (LP: #1796911, LP: #1869024) * upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient: allow reading /etc/krb5.conf.d/ * upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading per-user themes from $XDG_DATA_HOME (Closes: #930031) * upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access to top-level ecryptfs directories (LP: #1848919) * upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access to /run/uuidd/request * upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the kernel supports the i915 perf interface. Patch from Debian -- Jamie Strandboge <ja...@ubuntu.com> Mon, 06 Apr 2020 17:47:20 +0000 ** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1869024 Title: add support for DynamicUser feature of systemd Status in snapd: In Progress Status in apparmor package in Ubuntu: Fix Released Bug description: systemd offers to create dynamic (and semi-stable) users for services. This causes many services using Apparmor profiles to trigger those denials (even when they don't use the DynamicUser feature): audit: type=1107 audit(1585076282.591:30): pid=621 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=709 label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined" And more recently with systemd 245 this also get shown: audit: type=1400 audit(1585139000.628:39): apparmor="DENIED" operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/" pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Additional information: # lsb_release -rd Description: Ubuntu Focal Fossa (development branch) Release: 20.04 # uname -a Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux # apt-cache policy apparmor squid apparmor: Installed: 2.13.3-7ubuntu2 Candidate: 2.13.3-7ubuntu2 Version table: *** 2.13.3-7ubuntu2 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status squid: Installed: 4.10-1ubuntu1 Candidate: 4.10-1ubuntu1 Version table: *** 4.10-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1869024/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp