Ubuntu
apparmor package

AppArmor profiles need updates for /var/run → /run and /var/lock → /run/lock and /dev/shm → /run/shm

Bug #810270 reported by Micah Gersten
64
This bug affects 15 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
bind9 (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
clamav (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
cups (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
gdm-guest-session (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
isc-dhcp (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
libvirt (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
mysql-5.1 (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
ntp (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
openldap (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3

Bug Description

Figured I'd file a tracking bug for this. The symlink exists from /var/run to /run, but I'm guessing the profiles don't like this. The main problems I've seen so far are cups and dhclient (which I think are both profiles in their respective packages).

Revision history for this message
Martin Pitt (pitti) wrote :

Example:

Jul 14 11:27:50 localhost kernel: [ 8660.404355] type=1400 audit(1310635670.401:12064): apparmor="DENIED" operation="chown" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/" pid=6276 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul 14 11:27:50 localhost kernel: [ 8660.404469] type=1400 audit(1310635670.401:12065): apparmor="DENIED" operation="chown" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=6276 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul 14 11:27:50 localhost kernel: [ 8660.443356] type=1400 audit(1310635670.441:12066): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/printcap" pid=6276 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 14 11:27:50 localhost kernel: [ 8660.445231] type=1400 audit(1310635670.441:12067): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/cups.sock" pid=6276 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 14 11:27:50 localhost kernel: [ 8660.445362] type=1400 audit(1310635670.441:12068): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/cupsd.pid" pid=6276 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Revision history for this message
Martin Pitt (pitti) wrote :

sbin.dhclient and usr.sbin.cupsd profiles also refer to /var/run/, adding tasks for these as well.

Changed in cups (Ubuntu):
status: New → Triaged
Changed in apparmor (Ubuntu):
status: New → Triaged
Changed in isc-dhcp (Ubuntu):
status: New → Triaged
summary: - /run transition wreaking havoc on profiles
+ AppArmor profiles need updates for /var/run → /run
Changed in apparmor (Ubuntu):
importance: Undecided → High
Changed in cups (Ubuntu):
importance: Undecided → High
Changed in isc-dhcp (Ubuntu):
importance: Undecided → High
Changed in apparmor (Ubuntu Oneiric):
assignee: nobody → Martin Pitt (pitti)
Changed in cups (Ubuntu Oneiric):
assignee: nobody → Martin Pitt (pitti)
Changed in apparmor (Ubuntu Oneiric):
milestone: none → oneiric-alpha-3
Changed in cups (Ubuntu Oneiric):
milestone: none → oneiric-alpha-3
Changed in isc-dhcp (Ubuntu Oneiric):
milestone: none → oneiric-alpha-3
Changed in cups (Ubuntu Oneiric):
status: Triaged → In Progress
Martin Pitt (pitti)
Changed in cups (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in apparmor (Ubuntu Oneiric):
assignee: Martin Pitt (pitti) → nobody
Jamie Strandboge (jdstrand)
summary: - AppArmor profiles need updates for /var/run → /run
+ AppArmor profiles need updates for /var/run → /run and /var/lock →
+ /run/lock
Changed in ntp (Ubuntu Oneiric):
status: New → Triaged
Changed in isc-dhcp (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ntp (Ubuntu Oneiric):
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: AppArmor profiles need updates for /var/run → /run and /var/lock → /run/lock

*sigh* This requires a lot of changes.

Changed in libvirt (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Changed in ntp (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → oneiric-alpha-3
Changed in libvirt (Ubuntu Oneiric):
importance: Undecided → High
milestone: none → oneiric-alpha-3
Changed in bind9 (Ubuntu Oneiric):
importance: Undecided → High
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in clamav (Ubuntu Oneiric):
milestone: none → oneiric-alpha-3
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in gdm-guest-session (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
milestone: none → oneiric-alpha-3
status: New → Triaged
Changed in clamav (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in bind9 (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → oneiric-alpha-3
Changed in clamav (Ubuntu Oneiric):
importance: Undecided → High
Changed in apparmor (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in mysql-5.1 (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
milestone: none → oneiric-alpha-3
status: New → Triaged
Changed in openldap (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
milestone: none → oneiric-alpha-3
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Oneiric):
status: Triaged → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Seems Jamie already has an update for gdm-guest-session

Changed in gdm-guest-session (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
assignee: Martin Pitt (pitti) → Jamie Strandboge (jdstrand)
status: Triaged → Fix Committed
Changed in bind9 (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
status: Triaged → In Progress
Changed in ntp (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.4.7-1

---------------
cups (1.4.7-1) unstable; urgency=low

  * New upstream version.

  [ Till Kamppeter ]
  * debian/patches/ubuntu-upstart.dpatch: Updated the patch to add support
    to the new device enumeration functionality of udev-configure-printer.
    This way we do not need to retrigger the printers. Retriggering is only
    needed if udev rules change. A fallback to the old bahavior is provided
    so that this CUPS package continues to work with older versions of
    udev-configure-printer.

  [ Martin Pitt ]
  * Update patches for new upstream release.
  * Drop fix-broken-ipv6-uris.patch, applied upstream.
  * debian/local/apparmor-profile: /var/run → /run transition. (LP: #810270)
  * Drop debian/patches/ubuntu-upstart.dpatch and move the upstart script to
    debian/local/cups.upstart. In debian/rules, copy it to debian/, and remove
    that again during clean. This is a slightly easier workaround for a
    nonexisting "dh_installinit --sysvinit-only" option than the previous
    creation of the upstart file with an ubuntu specific dpatch.
  * debian/patches/, debian/rules, debian/control, debian/source/format: Move
    to source format "3.0 (quilt)" and convert our dpatches to quilt patches.
    Drop dpatch build dependency.
  * Move Ubuntu specific patches to debian/patches/ubuntu. In debian/rules,
    apply them when building on Ubuntu. Add "patch" build dependency.
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:02:36 +0200

Changed in cups (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Micah Gersten (micahg)
summary: AppArmor profiles need updates for /var/run → /run and /var/lock →
- /run/lock
+ /run/lock and /dev/shm -> /run/shm
Martin Pitt (pitti)
Changed in openldap (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
status: Triaged → Fix Committed
Changed in bind9 (Ubuntu Oneiric):
status: In Progress → Fix Committed
Micah Gersten (micahg)
summary: AppArmor profiles need updates for /var/run → /run and /var/lock →
- /run/lock and /dev/shm -> /run/shm
+ /run/lock and /dev/shm → /run/shm
Martin Pitt (pitti)
Changed in mysql-5.1 (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.6.p2+dfsg-1ubuntu9

---------------
ntp (1:4.2.6.p2+dfsg-1ubuntu9) oneiric; urgency=low

  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:12:09 +0200

Changed in ntp (Ubuntu Oneiric):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind9 - 1:9.7.3.dfsg-1ubuntu4

---------------
bind9 (1:9.7.3.dfsg-1ubuntu4) oneiric; urgency=low

  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:15:45 +0200

Changed in bind9 (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.25-1.1ubuntu2

---------------
openldap (2.4.25-1.1ubuntu2) oneiric; urgency=low

  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:18:02 +0200

Changed in openldap (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.1 - 5.1.54-1ubuntu5

---------------
mysql-5.1 (5.1.54-1ubuntu5) oneiric; urgency=low

  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:21:19 +0200

Changed in mysql-5.1 (Ubuntu Oneiric):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu Oneiric):
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu Oneiric):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.1-P1-17ubuntu4

---------------
isc-dhcp (4.1.1-P1-17ubuntu4) oneiric; urgency=low

  * adjust AppArmor profile for /var/run -> /run (LP: #810270)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 08:26:44 -0500

Changed in isc-dhcp (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm-guest-session - 0.27

---------------
gdm-guest-session (0.27) oneiric; urgency=low

  * apparmor/gdm-guest-session: /var/run -> /run and /dev/shm -> /run/shm
    transition (LP: #810270)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 07:36:57 -0500

Changed in gdm-guest-session (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in clamav (Ubuntu Oneiric):
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in libvirt (Ubuntu Oneiric):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.97.1+dfsg-1ubuntu2

---------------
clamav (0.97.1+dfsg-1ubuntu2) oneiric; urgency=low

  * adjust AppArmor profile for /var/run -> /run (LP: #810270)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 08:36:01 -0500

Changed in clamav (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in clamav (Ubuntu Oneiric):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.2-4ubuntu4

---------------
libvirt (0.9.2-4ubuntu4) oneiric; urgency=low

  * debian/apparmor/libvirt-qemu: adjust for /dev/shm -> /run/shm transition
  * debian/patches/lp810270.patch: adjust AppArmor profile for /var/run ->
    /run
    - LP: #810270
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 08:46:32 -0500

Changed in libvirt (Ubuntu Oneiric):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6.1-4ubuntu3

---------------
apparmor (2.6.1-4ubuntu3) oneiric; urgency=low

  * debian/patches/0106-lp810270.patch: adjustments for /var/run -> /run,
    /var/lock -> /run/lock and /dev/shm -> /run/shm transition (LP: #810270)
  * debian/patches/0107-lp767308.patch: allow read access to
    /usr/local/share/ca-certificates (LP: #767308)
  * debian/patches/0001-add-chromium-browser.patch: updates for newer chromium
    (LP: #776648)
  * debian/patches/0108-gnome-mimeinfo.patch: allow read access to
    /usr/share/gnome/applications/mimeinfo.cache in the gnome abstraction
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 09:39:49 -0500

Changed in apparmor (Ubuntu Oneiric):
status: In Progress → Fix Released
Revision history for this message
Jürgen (jurgen-depicker) wrote :

I'm affraid it's not fixed yet for mysql Ver 14.14 Distrib 5.1.58, for debian-linux-gnu (x86_64). http://penguindroppings.wordpress.com/2009/07/07/should-i-disable-apparmor/ was my help to temporary disable the profile for mysql to get things working again:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/usr.sbin.mysqld
sudo service mysql start
mysql start/running, process 3024

Before doing this, I got this from dmesg:
type=1400 audit(1319135491.751:5641): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=2704 comm="apparmor_parser"
[84848.322283] type=1400 audit(1319135491.915:5642): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/run/mysqld/mysqld.sock" pid=2708 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=116 ouid=116
[84853.637467] init: mysql main process (2708) terminated with status 1
[84853.637505] init: mysql main process ended, respawning

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Jurgen, this sounds like you may have not accepted the changes to /etc/apparmor.d/usr.sbin.mysqld on upgrade. Please look in /etc/apparmor.d/ for *dpkg* files and merge the changes. If this is not the case, please file a new bug with 'ubuntu-bug mysql-5.1'. Thanks

Revision history for this message
Jürgen (jurgen-depicker) wrote :

I'm sorry I forgot to mention that this is on a blank new install. Unfortunately, so I'll give it a try and file that bug!

Revision history for this message
cideous (mr-nightmare) wrote :

Continously I get errors of the form:

[ 4961.366862] type=1400 audit(1329587229.044:159): apparmor="DENIED" operation="mknod" parent=1049 profile="/sbin/dhclient" name="/var/lib/dhcp/dhclient-8740e579-0e00-4d28-acc6-c9998a25e262-eth0.lease" pid=1589 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Is this because this bug is still unsolved for dhclient, or is this because of the way setup my filesystem. Note that I made /var a symlink to a different partition. My root filesystem is an SSD and I followed the recommendation not to have var on the SSD. So is this just because I'm using a symlink here and I shouldn't have used it here?

Revision history for this message
Kees Cook (kees) wrote :

If filesystem paths have been relocated, please use /etc/apparmor.d/tunables/alias to handle replacements.

Revision history for this message
Thomas Tanghus (tanghus) wrote :

Please guys: http://tanghus.net/2012/03/yet-another-mysql-vs-apparmor-barf/#comment-299

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.