please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
Medium
|
Jamie Strandboge | ||
apparmor (Ubuntu) |
Fix Released
|
Critical
|
Ubuntu Security Team | ||
chrony (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
It seems it is a common pattern, see
https:/
Therefore I'm asking to add
/etc/mdns.allow r,
to the file
/etc/
by default.
--- original bug ---
Many repetitions of
audit: type=1400 audit(158551716
in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains
hosts: files mdns [NOTFOUND=return] myhostname dns
and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/
Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: chrony 3.5-6ubuntu1
ProcVersionSign
Uname: Linux 5.4.0-18-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Sun Mar 29 15:02:39 2020
InstallationDate: Installed on 2020-03-26 (3 days ago)
InstallationMedia: Xubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200326)
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: chrony
UpgradeStatus: No upgrade log present (probably fresh install)
tags: | added: rls-ff-incoming |
Changed in snapd: | |
importance: | Undecided → Medium |
As a workaround, hanging /etc/apparmor. d/local/ usr.sbin. chronyd to include
/etc/mdns.allow r,
and reloading with
sudo apparmor_parser -r /etc/apparmor. d/usr.sbin. chronyd
made it shut up.