As a first-time bug reporter, would it be more appropriate to file a Debian bug report?
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2023342 Title: apparmor needs read access to no-stub-resolv.conf Status in apparmor package in Ubuntu: New Bug description: Description: Ubuntu 22.04.2 LTS Release: 22.04 apt-cache policy apparmor apparmor: Installed: 3.0.4-2ubuntu2.2 Candidate: 3.0.4-2ubuntu2.2 apparmor 3.0.4-2ubuntu2.2 amd64 Due to issues with systemd-resolved failing to resolve hosts after a random amount of time, I have /etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow read access to the above path, so armored daemons like chrony fail to resolve hostnames when used in their configuration files: type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/run/NetworkManager/no-stub-resolv.conf" pid=191892 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118 ouid=0^]FSUID="_chrony" OUID="root" A generalized (non-chrony specific) workaround is: mkdir /etc/apparmor.d/abstractions/nameservice.d echo @{run}/NetworkManager/no-stub-resolv.conf r, > /etc/apparmor.d/abstractions/nameservice.d/no-stub systemctl reload apparmor.service It seems to be an omission to not have '@{run}/NetworkManager/no-stub- resolv.conf r,' in the default abstractions/nameservice file. Thanks for your consideration! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2023342/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
