As requested out-of-band I: 1. Replaced `/etc/apparmor.d/unix-chkpwd` with https://gitlab.com/apparmor/apparmor/-/blob/89dc242c4b32401fbcc4095a20fd62f7aeae0269/profiles/apparmor.d/unix-chkpwd 2. Replaced the profile: `sudo apparmor_parser -r /etc/apparmor.d/unix-chkpwd` 3. Tried to reproduce the issue
The polkit dialog doesn't fail anymore now and the `pkexec ls` command succeeds. However, I still see a few AppArmor DENIED messages in the logs: Mar 23 19:02:47 ubuntu26-04 kernel: kauditd_printk_skb: 12 callbacks suppressed Mar 23 19:02:47 ubuntu26-04 kernel: audit: type=1400 audit(1774288967.957:303): apparmor="DENIED" operation="connect" class="file" profile="unix-chkpwd" name="/disconnected/run/systemd/userdb/org.gnome.DisplayManager" pid=7491 comm="unix_chkpwd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Mar 23 19:02:47 ubuntu26-04 kernel: audit: type=1400 audit(1774288967.958:304): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/proc/sys/kernel/osrelease" pid=7491 comm="unix_chkpwd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Mar 23 19:02:47 ubuntu26-04 kernel: audit: type=1400 audit(1774288967.958:305): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/proc/sys/kernel/osrelease" pid=7491 comm="unix_chkpwd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Mar 23 19:02:47 ubuntu26-04 kernel: audit: type=1400 audit(1774288967.958:306): apparmor="DENIED" operation="ptrace" class="ptrace" profile="unix-chkpwd" pid=7491 comm="unix_chkpwd" requested_mask="read" denied_mask="read" peer="unconfined" Mar 23 19:02:47 ubuntu26-04 kernel: audit: type=1400 audit(1774288967.958:307): apparmor="DENIED" operation="connect" class="file" profile="unix-chkpwd" name="/disconnected/run/systemd/userdb/org.gnome.DisplayManager" pid=7491 comm="unix_chkpwd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Mar 23 19:02:47 ubuntu26-04 pkexec[7327]: pam_unix(polkit-1:session): session opened for user root(uid=0) by [email protected](uid=10000) Mar 23 19:02:47 ubuntu26-04 pkexec[7327]: [email protected]: Executing command [USER=root] [TTY=/dev/pts/2] [CWD=/home/[email protected]] [COMMAND=/usr/bin/ls] Mar 23 19:02:48 ubuntu26-04 systemd[1]: polkit-agent-helper@0-1-6040_17367-10000.service: Deactivated successfully. Mar 23 19:02:48 ubuntu26-04 systemd[1]: Finished polkit-agent-helper@0-1-6040_17367-10000.service - Authorization Manager Agent Helper (PID 6040/UID 10000). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2145628 Title: Using pkexec as an authd user fails To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2145628/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
