Public bug reported:
systemd offers to create dynamic (and semi-stable) users for services.
This causes many services using Apparmor profiles to trigger those
denials (even when they don't use the DynamicUser feature):
audit: type=1107 audit(1585076282.591:30): pid=621 uid=103
auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
operation="dbus_method_call" bus="system"
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers"
mask="send" name="org.freedesktop.systemd1" pid=709
label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined"
And more recently with systemd 245 this also get shown:
audit: type=1400 audit(1585139000.628:39): apparmor="DENIED"
operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/"
pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Additional information:
# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
# uname -a
Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
# apt-cache policy apparmor squid
apparmor:
Installed: 2.13.3-7ubuntu2
Candidate: 2.13.3-7ubuntu2
Version table:
*** 2.13.3-7ubuntu2 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
squid:
Installed: 4.10-1ubuntu1
Candidate: 4.10-1ubuntu1
Version table:
*** 4.10-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1869024
Title:
add support for DynamicUser feature of systemd
Status in apparmor package in Ubuntu:
New
Bug description:
systemd offers to create dynamic (and semi-stable) users for services.
This causes many services using Apparmor profiles to trigger those
denials (even when they don't use the DynamicUser feature):
audit: type=1107 audit(1585076282.591:30): pid=621 uid=103
auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
operation="dbus_method_call" bus="system"
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers"
mask="send" name="org.freedesktop.systemd1" pid=709
label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined"
And more recently with systemd 245 this also get shown:
audit: type=1400 audit(1585139000.628:39): apparmor="DENIED"
operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/"
pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Additional information:
# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
# uname -a
Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
# apt-cache policy apparmor squid
apparmor:
Installed: 2.13.3-7ubuntu2
Candidate: 2.13.3-7ubuntu2
Version table:
*** 2.13.3-7ubuntu2 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
squid:
Installed: 4.10-1ubuntu1
Candidate: 4.10-1ubuntu1
Version table:
*** 4.10-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869024/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
