@Tyler comment about the #14 above
i've reported against the 'kernel' the same issue output (but linux could be the false package; i'm not sure at all) Bug #1628835 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in ntp package in Ubuntu: Invalid Bug description: [ Impact ] Processes confined by AppArmor profiles making use of the nameservice AppArmor abstraction are unable to access the systemd-resolved network name resolution service. The nsswitch.conf file shipped in Yakkety puts the nss-resolve plugin to use which talks to systemd-resolved over D-Bus. The D-Bus communication is blocked for the confined processes described above and those processes will fallback to the traditional means of name resolution. [ Test Case ] * Use ntpd to test: $ sudo apt-get install -y ntp ... $ sudo systemctl stop ntp # in another terminal, watch for AppArmor denials $ dmesg -w # in the original terminal, start ntp $ sudo systemctl start ntp # You'll see a number of denials on the system_bus_socket file: audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0 * Use tcpdump to test: # Capture traffic on whichever network interface you're currently using $ sudo tcpdump -i eth0 # Look in /var/log/syslog for denials on the system_bus_socket file: audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 In both situations, ntpd and tcpdump will seemingly work as expected due to the name resolution fallback configured in nsswitch.conf. However, neither confined process will be using systemd-resolved for name resolution. [ Regression Potential ] This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined- by-default programs to start using systemd-resolved. There is some potential for regression since those applications have not been previously using systemd-resolved. [ Original bug description ] On this plain install of Xenial apparmor complains about ntpd: [ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.426246] audit: type=1400 audit(1467623333.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.771326] audit: type=1400 audit(1467623333.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the problem: #include <abstractions/dbus-strict> To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
