[Touch-packages] [Bug 1796911] Re: libnss-systemd was denied talking to pid1
This bug was fixed in the package apparmor - 2.13.3-7ubuntu4 --- apparmor (2.13.3-7ubuntu4) focal; urgency=medium * debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it (LP: #1871148) * libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets and DBus APIs. Patch partially based on work by Simon Deziel. (LP: #1796911, LP: #1869024) * upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient: allow reading /etc/krb5.conf.d/ * upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading per-user themes from $XDG_DATA_HOME (Closes: #930031) * upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access to top-level ecryptfs directories (LP: #1848919) * upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access to /run/uuidd/request * upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the kernel supports the i915 perf interface. Patch from Debian -- Jamie Strandboge Mon, 06 Apr 2020 17:47:20 + ** Changed in: apparmor (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1796911 Title: libnss-systemd was denied talking to pid1 Status in apparmor package in Ubuntu: Fix Released Bug description: cosmic apparmor 2.12-4ubuntu8 kernel 4.18.0-8-generic #9-Ubuntu I'm getting these audit messages in dmesg showing apparmor denied errors: [ 68.649187] audit: type=1107 audit(1539094926.655:32): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1091 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 161.059989] audit: type=1107 audit(1539095018.957:33): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1191 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 437.582034] audit: type=1107 audit(1539095295.553:34): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1534 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 468.184231] audit: type=1107 audit(1539095326.159:35): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1577 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' I pinged #ubuntu-hardened, and xnox had these comments: ha ahasenack, libnss-systemd was denied talking to pid1 to query dynamicusers i think so i think something somehwere need adjustemnt to allow libnss-systemd to talk to pid1 and call GetDynamicUsers LookupDynamicUserByName LookupDynamicUserByUID GetDynamicUsers as well To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1796911/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796911] Re: libnss-systemd was denied talking to pid1
** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1796911 Title: libnss-systemd was denied talking to pid1 Status in apparmor package in Ubuntu: Fix Committed Bug description: cosmic apparmor 2.12-4ubuntu8 kernel 4.18.0-8-generic #9-Ubuntu I'm getting these audit messages in dmesg showing apparmor denied errors: [ 68.649187] audit: type=1107 audit(1539094926.655:32): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1091 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 161.059989] audit: type=1107 audit(1539095018.957:33): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1191 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 437.582034] audit: type=1107 audit(1539095295.553:34): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1534 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 468.184231] audit: type=1107 audit(1539095326.159:35): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1577 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' I pinged #ubuntu-hardened, and xnox had these comments: ha ahasenack, libnss-systemd was denied talking to pid1 to query dynamicusers i think so i think something somehwere need adjustemnt to allow libnss-systemd to talk to pid1 and call GetDynamicUsers LookupDynamicUserByName LookupDynamicUserByUID GetDynamicUsers as well To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1796911/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796911] Re: libnss-systemd was denied talking to pid1
** Changed in: apparmor (Ubuntu) Status: Confirmed => In Progress ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1796911 Title: libnss-systemd was denied talking to pid1 Status in apparmor package in Ubuntu: In Progress Bug description: cosmic apparmor 2.12-4ubuntu8 kernel 4.18.0-8-generic #9-Ubuntu I'm getting these audit messages in dmesg showing apparmor denied errors: [ 68.649187] audit: type=1107 audit(1539094926.655:32): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1091 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 161.059989] audit: type=1107 audit(1539095018.957:33): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1191 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 437.582034] audit: type=1107 audit(1539095295.553:34): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1534 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 468.184231] audit: type=1107 audit(1539095326.159:35): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1577 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' I pinged #ubuntu-hardened, and xnox had these comments: ha ahasenack, libnss-systemd was denied talking to pid1 to query dynamicusers i think so i think something somehwere need adjustemnt to allow libnss-systemd to talk to pid1 and call GetDynamicUsers LookupDynamicUserByName LookupDynamicUserByUID GetDynamicUsers as well To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1796911/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796911] Re: libnss-systemd was denied talking to pid1
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1796911 Title: libnss-systemd was denied talking to pid1 Status in apparmor package in Ubuntu: Confirmed Bug description: cosmic apparmor 2.12-4ubuntu8 kernel 4.18.0-8-generic #9-Ubuntu I'm getting these audit messages in dmesg showing apparmor denied errors: [ 68.649187] audit: type=1107 audit(1539094926.655:32): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1091 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 161.059989] audit: type=1107 audit(1539095018.957:33): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1191 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 437.582034] audit: type=1107 audit(1539095295.553:34): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1534 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 468.184231] audit: type=1107 audit(1539095326.159:35): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1577 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' I pinged #ubuntu-hardened, and xnox had these comments: ha ahasenack, libnss-systemd was denied talking to pid1 to query dynamicusers i think so i think something somehwere need adjustemnt to allow libnss-systemd to talk to pid1 and call GetDynamicUsers LookupDynamicUserByName LookupDynamicUserByUID GetDynamicUsers as well To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1796911/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796911] Re: libnss-systemd was denied talking to pid1
I see very similar errors with strongSwan when the daemon charon is run as non-root: [119648.278942] audit: type=1107 audit(1540071113.311:674): pid=806 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=26066 label="/usr/lib/ipsec/charon" peer_pid=1 peer_label="unconfined" -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1796911 Title: libnss-systemd was denied talking to pid1 Status in apparmor package in Ubuntu: New Bug description: cosmic apparmor 2.12-4ubuntu8 kernel 4.18.0-8-generic #9-Ubuntu I'm getting these audit messages in dmesg showing apparmor denied errors: [ 68.649187] audit: type=1107 audit(1539094926.655:32): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1091 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 161.059989] audit: type=1107 audit(1539095018.957:33): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1191 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 437.582034] audit: type=1107 audit(1539095295.553:34): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1534 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' [ 468.184231] audit: type=1107 audit(1539095326.159:35): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1577 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' I pinged #ubuntu-hardened, and xnox had these comments: ha ahasenack, libnss-systemd was denied talking to pid1 to query dynamicusers i think so i think something somehwere need adjustemnt to allow libnss-systemd to talk to pid1 and call GetDynamicUsers LookupDynamicUserByName LookupDynamicUserByUID GetDynamicUsers as well To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1796911/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
