You have been subscribed to a public bug: When a service is running under deeper protection under systemd, i.e when either of these systemd stanzas are used in the unit file: ProtectSystem=full, PrivateDevices=true or ProtectHome=true then AppArmor somehow mangles the path name for sockets created by this service.
I discovered this when installing MariaDB, their authers used all three of the above mentioned stanzas in their unit file, and when any of them is enabled for MariaDB then any separate application that tries to access /run/mysqld/mysql.sock and that have an AppArmor profile to give access to that path gets this error where the initial '/' is stripped away: audit: type=1400 audit(1480516514.245:108): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/mda" name="run/mysqld/mysqld.sock" pid=15111 comm="mda" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=113 running a strace on the /ursd/bin/mda application shows that it does access the proper path "/run/mysqld/mysqld.sock" and commenting all of the three stanzas out and restarting MariaDB removes this error from AppArmor. Also putting the profile in debug mode shows that once these three stanzas are removed AppArmor sees the correct path again. I initially posted this to the systemd bug page at https://github.com/systemd/systemd/issues/4774 but they felt that the problem lied within AppArmor. ** Affects: mariadb-10.0 (Ubuntu) Importance: Undecided Status: New -- AppArmor mangles the "name" for services protected by systemd https://bugs.launchpad.net/bugs/1646192 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
