[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
[175882.466186] audit: type=1400 audit(1503640503.535:62): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince" name="/run/systemd/journal/socket" pid=7704 comm="evince" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Same here (17.04) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
@intrigeri - you're right. I'll fix this in the citrain branch and in 2.11.0-2ubuntu14. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
FWIW current Ubuntu citrain branch seems to apply exactly the same patch twice for some reason: debian/patches/adjust-nameservice-for-systemd-resolved.patch debian/patches/profiles-grant-access-to-systemd-resolved.patch Not sure what's going on, but anyway we don't apply this patch in Debian so this only affects the Ubuntu-specific bits of the packaging. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
Still true for Zesty. ** Tags added: zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
Still present for me [176007.813051] audit: type=1400 audit(1486720189.738:122): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince" name="/run/systemd/journal/socket" pid=14715 comm="EvJobScheduler" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 [179389.232131] audit: type=1400 audit(1486723571.310:133): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince" name="/run/systemd/journal/socket" pid=17305 comm="evince" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.10 DISTRIB_CODENAME=yakkety DISTRIB_DESCRIPTION="Ubuntu 16.10" Not sure if it affects something. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
This isn't fixed in AppArmor upstream. As an upstream, we decided against taking in this policy update until the patches to perform D-Bus mediation have landed in the upstream kernel. Without those patches, we'd be granting full access to the D-Bus system bus socket from the very commonly used namespace abstraction. ** Changed in: apparmor Status: Fix Released => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
** Changed in: apparmor Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1 --- apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium * debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor profiles that make use of the nameservice abstraction should be allowed to communicate with systemd-resolved over D-Bus. Ubuntu 16.10 systems are configured to use nss-resolve which then communicates with systemd-resolved's D-Bus API. (LP: #1598759) -- Tyler Hicks Wed, 12 Oct 2016 01:47:06 + ** Changed in: apparmor (Ubuntu Yakkety) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1 --- apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium * debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor profiles that make use of the nameservice abstraction should be allowed to communicate with systemd-resolved over D-Bus. Ubuntu 16.10 systems are configured to use nss-resolve which then communicates with systemd-resolved's D-Bus API. (LP: #1598759) -- Tyler Hicks Wed, 12 Oct 2016 01:47:06 + ** Changed in: apparmor (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
** Tags added: aa-policy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
We've decided not to merge this patch in the upstream AppArmor project at this time because most distros don't have the ability to perform fine-grained mediation of D-Bus communications and this change would grant full system bus access to network-facing daemons in those distros. ** Changed in: apparmor Status: In Progress => Triaged ** Changed in: apparmor Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
This change looks to be working as expected. I've done the manual verification in the bug description and I've also went through the desktop/server related portions of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
Hello knz, or anyone else affected, Accepted apparmor into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.10.95-4ubuntu5.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Also affects: ntp (Ubuntu Yakkety) Importance: High Assignee: Joshua Powers (powersj) Status: Invalid ** Also affects: apparmor (Ubuntu Yakkety) Importance: High Assignee: Tyler Hicks (tyhicks) Status: Triaged ** Changed in: apparmor (Ubuntu Yakkety) Status: Triaged => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
@Tyler comment about the #14 above i've reported against the 'kernel' the same issue output (but linux could be the false package; i'm not sure at all) Bug #1628835 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
** Description changed: + [ Impact ] + + Processes confined by AppArmor profiles making use of the nameservice + AppArmor abstraction are unable to access the systemd-resolved network + name resolution service. The nsswitch.conf file shipped in Yakkety puts + the nss-resolve plugin to use which talks to systemd-resolved over + D-Bus. The D-Bus communication is blocked for the confined processes + described above and those processes will fallback to the traditional + means of name resolution. + + [ Test Case ] + + * Use ntpd to test: + $ sudo apt-get install -y ntp + ... + $ sudo systemctl stop ntp + + # in another terminal, watch for AppArmor denials + $ dmesg -w + + # in the original terminal, start ntp + $ sudo systemctl start ntp + + # You'll see a number of denials on the system_bus_socket file: + audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0 + + * Use tcpdump to test: + +# Capture traffic on whichever network interface you're currently using +$ sudo tcpdump -i eth0 + +# Look in /var/log/syslog for denials on the system_bus_socket file: +audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 + + In both situations, ntpd and tcpdump will seemingly work as expected due + to the name resolution fallback configured in nsswitch.conf. However, + neither confined process will be using systemd-resolved for name + resolution. + + [ Regression Potential ] + + This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined- + by-default programs to start using systemd-resolved. There is some + potential for regression since those applications have not been + previously using systemd-resolved. + + [ Original bug description ] + On this plain install of Xenial apparmor complains about ntpd: [ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.426246] audit: type=1400 audit(146762.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.771326] audit: type=1400 audit(146762.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the problem: - #include + #include -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
I forgot to mention what brought me to this bug. I am seeing this denial when running tcpdump in Ubuntu Yakkety: apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=25098 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 After pulling the dbus-strict abstraction into the tcpdump profile, I then see this denial: pid=2204 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/resolve1" interface="org.freedesktop.resolve1.Manager" member="ResolveAddress" mask="send" name="org.freedesktop.resolve1" pid=25438 label="/usr/sbin/tcpdump" peer_pid=2471 peer_label="unconfined" My proposed fix grants access to the ResolveAddress, ResolveHostname, ResolveRecord, and ResolveService methods of the D-Bus API. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
Fix sent upstream for review: https://lists.ubuntu.com/archives/apparmor/2016-October/010130.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs