[175882.466186] audit: type=1400 audit(1503640503.535:62):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=7704 comm="evince"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Same here (17.04)
--
You received this bug notification
@intrigeri - you're right. I'll fix this in the citrain branch and in
2.11.0-2ubuntu14.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor
FWIW current Ubuntu citrain branch seems to apply exactly the same patch
twice for some reason:
debian/patches/adjust-nameservice-for-systemd-resolved.patch
debian/patches/profiles-grant-access-to-systemd-resolved.patch
Not sure what's going on, but anyway we don't apply this patch in Debian
so
Still true for Zesty.
** Tags added: zesty
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction doesn't allow communication
Still present for me
[176007.813051] audit: type=1400 audit(1486720189.738:122):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=14715 comm="EvJobScheduler"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
[179389.232131] audit:
This isn't fixed in AppArmor upstream. As an upstream, we decided
against taking in this policy update until the patches to perform D-Bus
mediation have landed in the upstream kernel. Without those patches,
we'd be granting full access to the D-Bus system bus socket from the
very commonly used
** Changed in: apparmor
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction doesn't
This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1
---
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium
* debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
profiles that make use of the nameservice abstraction should be allowed to
This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1
---
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium
* debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
profiles that make use of the nameservice abstraction should be allowed to
** Tags added: aa-policy
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor nameservice abstraction doesn't allow communication with
We've decided not to merge this patch in the upstream AppArmor project
at this time because most distros don't have the ability to perform
fine-grained mediation of D-Bus communications and this change would
grant full system bus access to network-facing daemons in those distros.
** Changed in:
This change looks to be working as expected. I've done the manual
verification in the bug description and I've also went through the
desktop/server related portions of
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor.
** Tags removed: verification-needed
** Tags added: verification-done
Hello knz, or anyone else affected,
Accepted apparmor into yakkety-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-4ubuntu5.1 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
@Tyler
comment about the #14 above
i've reported against the 'kernel' the same issue output (but linux
could be the false package; i'm not sure at all)
Bug #1628835
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor
** Description changed:
+ [ Impact ]
+
+ Processes confined by AppArmor profiles making use of the nameservice
+ AppArmor abstraction are unable to access the systemd-resolved network
+ name resolution service. The nsswitch.conf file shipped in Yakkety puts
+ the nss-resolve plugin to use which
I forgot to mention what brought me to this bug. I am seeing this denial
when running tcpdump in Ubuntu Yakkety:
apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump"
name="/run/dbus/system_bus_socket" pid=25098 comm="tcpdump"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
After
Fix sent upstream for review:
https://lists.ubuntu.com/archives/apparmor/2016-October/010130.html
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
AppArmor
17 matches
Mail list logo