Ubuntu
apparmor package

Disconnected path errors

Bug #1518663 reported by Peter
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

The first error is that the audit message (notice the path):

type=AVC msg=audit(1448143203.902:359992): apparmor="DENIED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/openvpn" name="run/nscd/dbfQMsBd" pid=25814 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

appears in the audit log. The second is that aa-logprof throws an exception on reading it:

Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 54, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3.4/site-packages/apparmor/aa.py", line 2289, in do_logprof_pass
    ask_the_questions()
  File "/usr/lib/python3.4/site-packages/apparmor/aa.py", line 1762, in ask_the_questions
    severity = sev_db.rank(path, mode_to_str(mode))
  File "/usr/lib/python3.4/site-packages/apparmor/severity.py", line 141, in rank
    raise AppArmorException("Unexpected rank input: %s" % resource)
apparmor.common.AppArmorException: 'Unexpected rank input: run/nscd/dbfQMsBd'

I've been having this problem for several years.

Peter (auxsvr-gmail)
no longer affects: apparmor (openSUSE)
Revision history for this message
Christian Boltz (cboltz) wrote :

The fix *) for this is in upstream AppArmor 2.10 and will also be in 2.9.3.

*) fix means ignoring those log entries to avoid the crash. Ideally aa-logprof should propose adding the attach_disconnected flag. See also https://bugzilla.opensuse.org/show_bug.cgi?id=918787

Note: You'll need to add flags=(attach_disconnected) to your openvpn profile

To avoid aa-logprof crashes again, rotate audit.log away (or update to a newer version of the AppArmor utils that contains the fix).

Revision history for this message
sokoow (sokoow) wrote :

This is still happening with 2.10 on wily:

Jan 14 11:52:10 odroid-server2 kernel: [ 407.359113] type=1400 audit(1452772330.854:2980): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=1 profile="/usr/bin/docker" name="/media/docker/aufs/mnt/01f511157176093c59c09aabe19402654881dfda6fae5e74157a142030563141-init/" pid=1323 comm="docker" fstype="aufs" srcname="none" flags="rw"
Jan 14 11:52:17 odroid-server2 kernel: [ 413.770509] type=1400 audit(1452772337.269:2988): apparmor="ALLOWED" operation="getattr" info="Failed name lookup" error=-13 parent=1434 profile="/usr/bin/docker" name="media/docker/aufs/diff/01f511157176093c59c09aabe19402654881dfda6fae5e74157a142030563141-init/proc" pid=1490 comm="exe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 14 11:52:17 odroid-server2 kernel: [ 413.770679] type=1400 audit(1452772337.269:2990): apparmor="ALLOWED" operation="getattr" info="Failed name lookup" error=-13 parent=1434 profile="/usr/bin/docker" name="media/docker/aufs/diff/01f511157176093c59c09aabe19402654881dfda6fae5e74157a142030563141-init/dev" pid=1490 comm="exe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 14 11:52:17 odroid-server2 kernel: [ 413.771132] type=1400 audit(1452772337.269:2992): apparmor="ALLOWED" operation="getattr" info="Failed name lookup" error=-13 parent=1434 profile="/usr/bin/docker" name="media/docker/aufs/diff/01f511157176093c59c09aabe19402654881dfda6fae5e74157a142030563141-init/sys" pid=1490 comm="exe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Unexpected rank input: media/docker/aufs/diff/01f511157176093c59c09aabe19402654881dfda6fae5e74157a142030563141-init/dev

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
QkiZ (qkiz) wrote :

16.04.1 here, same error.
Oct 30 00:33:19 tesla kernel: [603564.289033] audit: type=1400 audit(1477780399.072:143419): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib
/dovecot/log" name="run/systemd/journal/dev-log" pid=26591 comm="log" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

Revision history for this message
xylo (stefan-endrullis) wrote :

17.10 here, same error with mariadb-server:
Nov 07 10:08:20 pc770 audit[23211]: AVC apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/mysqld" name="run/systemd/notify" pid=23211 comm="mysqld" requested_mask="w" denied_mask="w" fsuid=124 ouid=0
Nov 07 10:08:20 pc770 kernel: audit: type=1400 audit(1510045700.070:89): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/mysqld" name="run/systemd/notify" pid=23211 comm="mysqld" requested_mask="w" denied_mask="w" fsuid=124 ouid=0

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Today, people experiencing this error need to use flags=(attach_disconnected) in the profile. Eg:

/path/to/thing flags=(attach_disconnected) {
  ...
}

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ultimately this is a kernel issue and the limitations it puts on apparmor for tracking files with disconnected paths. There isn't anything that the apparmor package or abstractions can do to help with this, but people can update their profiles to use flags=(attach_disconnected), as mentioned. For profiles shipped in Ubuntu packages that do not use this flag but are seeing disconnected path denials, please file new bugs and we'll adjust those profiles accordingly. For lack of a better bug status, marking as Won't Fix.

Changed in apparmor (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.