Ubuntu
apparmor package

Abstraction needs access to @{PROC}/sys/kernel/random/boot_id

Bug #1878175 reported by Daniel Richard G.
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

This concerns apparmor 2.13.3-7ubuntu5 in Ubuntu focal.

I have AppArmor actively enforcing policy on my system. In /var/log/syslog, I see a number of the following two sorts of messages:

May 12 04:44:21 image-ubuntu64 kernel: [ 26.667094] audit: type=1400 audit(1589273061.296:63): apparmor="DENIED" operation="open" profile="nscd" name="/proc/sys/kernel/random/boot_id" pid=655 comm="nscd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

May 12 04:44:26 image-ubuntu64 kernel: [ 32.107018] audit: type=1400 audit(1589273066.730:99): apparmor="DENIED" operation="open" profile="/usr/sbin/nslcd" name="/proc/sys/kernel/random/boot_id" pid=1004 comm="nslcd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The following line is needed in an abstraction somewhere:

  @{PROC}/sys/kernel/random/boot_id r,

I've added it locally to /etc/apparmor.d/abstractions/nameservice, and that took care of the above errors for me. AppArmor upstream has added it to abstractions/nss-systemd, but this file does not exist in Ubuntu's apparmor package.

Tags: focal
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.