This problem is indeed somewhat pervasive, I also filed bug 1869632 on cups-browsed doing the same thing, for the same reason. I suspect more will pop up. I don't think libnss_mdns is too widely used, most people would use libnss_mdns_minimal. I only have to use libnss_mdns because my ISP is insane. If this bug were fixed by adding /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns bug 1869632 would be fixed as well (I've verified this by patching it on my system.)
Not sure why /etc/apparmor.d/abstractions/mdns contains /etc/nss_mdns.conf, though: libnss_mdns.so.2 doesn't refer to that file (it appears to be used in the NetBSD implementation?) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1869629 Title: please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns Status in apparmor package in Ubuntu: New Status in chrony package in Ubuntu: Invalid Bug description: In focal users of mdns get denials in apparmor confined applications. An exampel can be found in the original bug below. It seems it is a common pattern, see https://github.com/lathiat/nss-mdns#etcmdnsallow Therefore I'm asking to add /etc/mdns.allow r, to the file /etc/apparmor.d/abstractions/mdns" by default. --- original bug --- Many repetitions of audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0 in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains hosts: files mdns [NOTFOUND=return] myhostname dns and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss- mdns/README.html.) Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: chrony 3.5-6ubuntu1 ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24 Uname: Linux 5.4.0-18-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu21 Architecture: amd64 Date: Sun Mar 29 15:02:39 2020 InstallationDate: Installed on 2020-03-26 (3 days ago) InstallationMedia: Xubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200326) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: chrony UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
