@Brian, I did go through the full test case when marking it as verified in comment #20.
Do I really need to repeat the full test case when verifying a bug? $ lxc launch images:ubuntu/focal fb1 $ lxc exec fb1 -- apt update && lxc exec fb1 -- apt install apparmor -y $ lxc exec fb1 -- apt install bind9 -y # Confirms the problem: $ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' audit: type=1400 audit(1591130868.387:930): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000 audit: type=1400 audit(1591130868.387:931): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000 audit: type=1400 audit(1591130868.387:932): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000 audit: type=1400 audit(1591130868.387:933): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000 Bringing in the fix from -proposed: $ echo 'deb http://archive.ubuntu.com/ubuntu focal-proposed main' | lxc exec fb1 -- tee /etc/apt/sources.list $ lxc exec fb1 -- apt update $ lxc exec fb1 -- apt install apparmor Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: apparmor-profiles-extra apparmor-utils The following packages will be upgraded: apparmor 1 upgraded, 0 newly installed, 0 to remove and 8 not upgraded. Need to get 494 kB of archives. After this operation, 0 B of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apparmor amd64 2.13.3-7ubuntu5.1 [494 kB] Fetched 494 kB in 1s (929 kB/s) Preconfiguring packages ... (Reading database ... 14968 files and directories currently installed.) Preparing to unpack .../apparmor_2.13.3-7ubuntu5.1_amd64.deb ... Unpacking apparmor (2.13.3-7ubuntu5.1) over (2.13.3-7ubuntu5) ... Setting up apparmor (2.13.3-7ubuntu5.1) ... Installing new version of config file /etc/apparmor.d/abstractions/nameservice ... Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Processing triggers for systemd (245.4-4ubuntu3.1) ... $ lxc exec fb1 -- systemctl restart named No *new* DENIED messages in 'journalctl -k', so marking as verification- done. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
