| 2020-01-23 19:29:25 |
Nicolaas |
description |
Apologies for the lengthy bug report as I do not have sufficient knowledge to how AppArmor and Snap-Store works to be able to provide specific evidence of actions and outcomes. However, I am happy to see I am not the only one on the internet who struggles with AppArmor and the usability behind it.
=====EXPERIENCE=====
-Stage 1-
As a new user to Ubuntu who just migrated from Windows 7,
the user installed Freemind using Snap-Store,
but every time the user tried to open a Freemind mindmap that is on in the ./media/nic/StorageSSD/Mindmaps folder the following error message displayed:
"cmd_run.go:884: WARNING: cannot create user data directory: cannot create "/home/nicolaas/snap/freemind/4": mkdir /home/nicolaas/snap/freemind/4: permission denied
cannot read mount namespace identifier of pid 1: Permission denied".
-Stage 2-
After executing "sudo aa-logprof" as internet search results pointed towards AppArmor,
the Snap-Store GUI stopped working. The user just selected (I) or (A)llow for everything that returned.
There might have been a chance that "sudo aa-genprof freemind" was executed before this.
-Stage 3-
When executing "snap-store" or "freemind" from terminal the following error message is displayed:
"cannot self-bind mount /run/snapd/ns: Permission denied"
-Stage 4-
The user opened "Software" (Location: /usr/share/applications) from the start menu which appeared to be doing the same as Snap-Store. From "Software", removed "Snap-Store" and "Freemind". Then installed them again using "Software". The same error message is displayed:
"cannot self-bind mount /run/snapd/ns: Permission denied"
-Stage 5-
Further research on the internet someone mentioned on a forum that this kind of behaviour is possibly due to using the "Software" application to install "Snap-Store" and not "Snapd".
-Stage 6-
Then executed "sudo snap remove snap-store" and "sudo snap remove freemind".
Then executed "sudo snap install snap-store" and "sudo snap install freemind".
The install completed successfully.
-Stage 7-
When executing "sudo aa-genprof snap-store", no new events are found during the (S)can system log, so the user can only (F)inish.
-Stage 8-
This is when the user assumed since the error was "snapd" that the issue will be resolved by executing "sudo aa-genprof snapd". This then displayed the content stated in the attached file and instructions.
-Stage 9-
When executing "sudo aa-genprof snapd" again the following error message is displayed:
"ERROR: Can't find snapd in the system path list. If the name of the application
is correct, please run 'which snapd' as a user with correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter."
-Stage 10-
When executing "which snapd" no results are returned.
=====EXPECTATION=====
1. "Snap-Store" should have better permission options available. "Snap-Store" has 5 permissions where "Freemind" only had 2 permissions. General apps that allow users to CRUD files should include accessing removable media permission options.
2. AppArmor should have a better approach for users, especially new users, to troubleshoot and configuring permissions.
3. Permission error messages related to AppArmor must be more specific and user friendly to improve the communication and troubleshooting between users and the community. The error codes was not found using Google.
4. There really MUST be an easier way to move an application/services from "enforce mode" to "complain mode".
=====SYSTEM CONFIGURATION=====
Operating System: Kubuntu 19.10
KDE Plasma Version: 5.16.5
KDE Frameworks Version: 5.62.0
Qt Version: 5.12.4
Kernel Version: 5.3.0-26-generic
OS Type: 64-bit
Processors: 4 × Intel® Core™ i3 CPU M 350 @ 2.27GHz
Memory: 7,6 GiB of RAM
=====APPARMOR PROFILES CONFIGURATION=====
apparmor module is loaded.
80 profiles are loaded.
59 profiles are in enforce mode.
/home/nicolaas/snap
/sbin/dhclient
/snap
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snap-store/209/snap
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/bin/snap
/usr/bin/snap//null-/snap/core/8268/usr/bin/snap
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/haveged
/usr/sbin/ippusbxd
/usr/sbin/mysqld-akonadi
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld
/usr/sbin/tcpdump
chromium_browser//browser_java
chromium_browser//browser_openjdk
chromium_browser//sanitized_helper
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.core
snap-update-ns.freemind
snap-update-ns.gnome-calculator
snap-update-ns.gnome-characters
snap-update-ns.gnome-logs
snap-update-ns.okular
snap-update-ns.remmina
snap-update-ns.snap-store
snap.core.hook.configure
snap.freemind.freemind
snap.gnome-calculator.gnome-calculator
snap.gnome-characters.gnome-characters
snap.gnome-logs.gnome-logs
snap.okular.okular
snap.remmina.remmina
snap.remmina.winpr-hash
snap.remmina.winpr-makecert
snap.snap-store.snap-store
21 profiles are in complain mode.
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
chromium_browser
chromium_browser//chromium_browser_sandbox
chromium_browser//lsb_release
chromium_browser//xdgsettings
identd
klogd
libreoffice-oopslash
libreoffice-soffice
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
6 processes have profiles defined.
4 processes are in enforce mode.
/usr/sbin/cups-browsed (739)
/usr/sbin/cupsd (606)
/usr/sbin/haveged (581)
/usr/sbin/mysqld (1806) /usr/sbin/mysqld-akonadi///usr/sbin/mysqld
2 processes are in complain mode.
/usr/sbin/avahi-daemon (619) avahi-daemon
/usr/sbin/avahi-daemon (732) avahi-daemon
0 processes are unconfined but have a profile defined.
=====CONTENT OF TXT FILE LOGGED=====
<pre>Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 92, in <module>
program = apparmor.get_full_path(profiling)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 193, in get_full_path
path = os.getcwd() + '/' + path
FileNotFoundError: [Errno 2] No such file or directory
</pre>
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file. |
Apologies for the lengthy bug report as I do not have sufficient knowledge to how AppArmor and Snap-Store works to be able to provide specific evidence of actions and outcomes. However, I am happy to see I am not the only one on the internet who struggles with AppArmor and the usability behind it.
NOTE: For some reason attachments does not work so the bottom have the content of the TXT log file.
=====EXPERIENCE=====
-Stage 1-
As a new user to Ubuntu who just migrated from Windows 7,
the user installed Freemind using Snap-Store,
but every time the user tried to open a Freemind mindmap that is on in the ./media/nic/StorageSSD/Mindmaps folder the following error message displayed:
"cmd_run.go:884: WARNING: cannot create user data directory: cannot create "/home/nicolaas/snap/freemind/4": mkdir /home/nicolaas/snap/freemind/4: permission denied
cannot read mount namespace identifier of pid 1: Permission denied".
-Stage 2-
After executing "sudo aa-logprof" as internet search results pointed towards AppArmor,
the Snap-Store GUI stopped working. The user just selected (I) or (A)llow for everything that returned.
There might have been a chance that "sudo aa-genprof freemind" was executed before this.
-Stage 3-
When executing "snap-store" or "freemind" from terminal the following error message is displayed:
"cannot self-bind mount /run/snapd/ns: Permission denied"
-Stage 4-
The user opened "Software" (Location: /usr/share/applications) from the start menu which appeared to be doing the same as Snap-Store. From "Software", removed "Snap-Store" and "Freemind". Then installed them again using "Software". The same error message is displayed:
"cannot self-bind mount /run/snapd/ns: Permission denied"
-Stage 5-
Further research on the internet someone mentioned on a forum that this kind of behaviour is possibly due to using the "Software" application to install "Snap-Store" and not "Snapd".
-Stage 6-
Then executed "sudo snap remove snap-store" and "sudo snap remove freemind".
Then executed "sudo snap install snap-store" and "sudo snap install freemind".
The install completed successfully.
-Stage 7-
When executing "sudo aa-genprof snap-store", no new events are found during the (S)can system log, so the user can only (F)inish.
-Stage 8-
This is when the user assumed since the error was "snapd" that the issue will be resolved by executing "sudo aa-genprof snapd". This then displayed the content stated in the attached file and instructions.
-Stage 9-
When executing "sudo aa-genprof snapd" again the following error message is displayed:
"ERROR: Can't find snapd in the system path list. If the name of the application
is correct, please run 'which snapd' as a user with correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter."
-Stage 10-
When executing "which snapd" no results are returned.
=====EXPECTATION=====
1. "Snap-Store" should have better permission options available. "Snap-Store" has 5 permissions where "Freemind" only had 2 permissions. General apps that allow users to CRUD files should include accessing removable media permission options.
2. AppArmor should have a better approach for users, especially new users, to troubleshoot and configuring permissions.
3. Permission error messages related to AppArmor must be more specific and user friendly to improve the communication and troubleshooting between users and the community. The error codes was not found using Google.
4. There really MUST be an easier way to move an application/services from "enforce mode" to "complain mode".
=====SYSTEM CONFIGURATION=====
Operating System: Kubuntu 19.10
KDE Plasma Version: 5.16.5
KDE Frameworks Version: 5.62.0
Qt Version: 5.12.4
Kernel Version: 5.3.0-26-generic
OS Type: 64-bit
Processors: 4 × Intel® Core™ i3 CPU M 350 @ 2.27GHz
Memory: 7,6 GiB of RAM
=====APPARMOR PROFILES CONFIGURATION=====
apparmor module is loaded.
80 profiles are loaded.
59 profiles are in enforce mode.
/home/nicolaas/snap
/sbin/dhclient
/snap
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snap-store/209/snap
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/bin/snap
/usr/bin/snap//null-/snap/core/8268/usr/bin/snap
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/haveged
/usr/sbin/ippusbxd
/usr/sbin/mysqld-akonadi
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld
/usr/sbin/tcpdump
chromium_browser//browser_java
chromium_browser//browser_openjdk
chromium_browser//sanitized_helper
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.core
snap-update-ns.freemind
snap-update-ns.gnome-calculator
snap-update-ns.gnome-characters
snap-update-ns.gnome-logs
snap-update-ns.okular
snap-update-ns.remmina
snap-update-ns.snap-store
snap.core.hook.configure
snap.freemind.freemind
snap.gnome-calculator.gnome-calculator
snap.gnome-characters.gnome-characters
snap.gnome-logs.gnome-logs
snap.okular.okular
snap.remmina.remmina
snap.remmina.winpr-hash
snap.remmina.winpr-makecert
snap.snap-store.snap-store
21 profiles are in complain mode.
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
chromium_browser
chromium_browser//chromium_browser_sandbox
chromium_browser//lsb_release
chromium_browser//xdgsettings
identd
klogd
libreoffice-oopslash
libreoffice-soffice
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
6 processes have profiles defined.
4 processes are in enforce mode.
/usr/sbin/cups-browsed (739)
/usr/sbin/cupsd (606)
/usr/sbin/haveged (581)
/usr/sbin/mysqld (1806) /usr/sbin/mysqld-akonadi///usr/sbin/mysqld
2 processes are in complain mode.
/usr/sbin/avahi-daemon (619) avahi-daemon
/usr/sbin/avahi-daemon (732) avahi-daemon
0 processes are unconfined but have a profile defined.
=====CONTENT OF TXT FILE LOGGED=====
<pre>Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 92, in <module>
program = apparmor.get_full_path(profiling)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 193, in get_full_path
path = os.getcwd() + '/' + path
FileNotFoundError: [Errno 2] No such file or directory
</pre>
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file. |
|
