This bug was fixed in the package apparmor - 2.13.3-7ubuntu4
---------------
apparmor (2.13.3-7ubuntu4) focal; urgency=medium
* debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to
RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it
(LP: #1871148)
* libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets
and DBus APIs. Patch partially based on work by Simon Deziel.
(LP: #1796911, LP: #1869024)
* upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient:
allow reading /etc/krb5.conf.d/
* upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading
per-user themes from $XDG_DATA_HOME (Closes: #930031)
* upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access
to top-level ecryptfs directories (LP: #1848919)
* upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access
to /run/uuidd/request
* upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the
kernel supports the i915 perf interface. Patch from Debian
-- Jamie Strandboge <[email protected]> Mon, 06 Apr 2020 17:47:20 +0000
** Changed in: apparmor (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1869024
Title:
add support for DynamicUser feature of systemd
Status in snapd:
In Progress
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
systemd offers to create dynamic (and semi-stable) users for services.
This causes many services using Apparmor profiles to trigger those
denials (even when they don't use the DynamicUser feature):
audit: type=1107 audit(1585076282.591:30): pid=621 uid=103
auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
operation="dbus_method_call" bus="system"
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers"
mask="send" name="org.freedesktop.systemd1" pid=709
label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined"
And more recently with systemd 245 this also get shown:
audit: type=1400 audit(1585139000.628:39): apparmor="DENIED"
operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/"
pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Additional information:
# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
# uname -a
Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
# apt-cache policy apparmor squid
apparmor:
Installed: 2.13.3-7ubuntu2
Candidate: 2.13.3-7ubuntu2
Version table:
*** 2.13.3-7ubuntu2 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
squid:
Installed: 4.10-1ubuntu1
Candidate: 4.10-1ubuntu1
Version table:
*** 4.10-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1869024/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
