Public bug reported: When the squid apparmor profile is enabled, two types of apparmor errors appear in the kernel logs:
audit: type=1400 audit(1537265313.920:230): apparmor="DENIED" operation="capable" profile="/usr/sbin/squid" pid=2460 comm="squid" capability=12 capname="net_admin" and audit: type=1400 audit(1537596453.254:301): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/squid" name="run/dbus/system_bus_socket" pid=24740 comm="squid" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 These can be resolved via these changes to the apparmor profile: diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid index 07a9642ab..df3a9a38f 100644 --- a/debian/usr.sbin.squid +++ b/debian/usr.sbin.squid @@ -3,7 +3,7 @@ # vim:syntax=apparmor #include <tunables/global> -/usr/sbin/squid { +/usr/sbin/squid flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/kerberosclient> #include <abstractions/nameservice> @@ -18,6 +18,7 @@ # alternatively include the <abstractions/ssl_keys> abstraction, which # gives read access to the entire contents of /etc/ssl + capability net_admin, capability net_raw, capability setuid, capability setgid, ** Affects: squid (Ubuntu) Importance: Low Status: Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1796189 Title: apparmor DENIED errors To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1796189/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs