snappy-hwe-snaps

network-manager dbus connection gets denied by appamor on snap package

Bug #1844112 reported by Hans Ronald Fischer on 2019-09-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snappy-hwe-snaps	Invalid	Undecided	Unassigned

Bug Description

I've installed the current version of Ubuntu Server and upgraded to the newest version. As netplan does not handle cellular interfaces I've installed network-manager to handle WWAN device via modem-manager.

As there is not a version of modem-manager in the apt repo I've installed both (network-manager and modem-manager) via snap

I've configured netplan to use network manager only (/etc/netplan/50-cloud-init.yaml):
network:
renderer: NetworkManager
version: 2

Restarted the machine and logged in again. Network-manager service is running and I got a DHCP address. However, modem-manager server failed to start as well as the nm-cli is not able to connect to the dbus service.

journalctl output:
Sep 16 08:29:21 nuc1 audit[989]: USER_AVC pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/ModemManager
                                  exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Sep 16 08:29:21 nuc1 kernel: audit: type=1107 audit(1568622561.789:60): pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path=
                              exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Sep 16 08:29:21 nuc1 NetworkManager[1044]: <warn> [1568622561.7954] error creating ModemManager client: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this
Sep 16 08:29:26 nuc1 systemd-timesyncd[800]: Network configuration changed, trying to establish connection.
Sep 16 08:29:26 nuc1 kernel: IPv6: ADDRCONF(NETDEV_UP): wlo2: link is not ready
Sep 16 08:29:26 nuc1 systemd-timesyncd[800]: Synchronized to time server 91.189.89.198:123 (ntp.ubuntu.com).
Sep 16 08:30:29 nuc1 systemd-timesyncd[800]: Network configuration changed, trying to establish connection.
Sep 16 08:30:29 nuc1 kernel: IPv6: ADDRCONF(NETDEV_UP): wlo2: link is not ready
Sep 16 08:30:29 nuc1 systemd-timesyncd[800]: Synchronized to time server 91.189.89.198:123 (ntp.ubuntu.com).
Sep 16 08:31:21 nuc1 audit[989]: USER_AVC pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/ModemManager
                                  exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Sep 16 08:31:21 nuc1 NetworkManager[1044]: <warn> [1568622681.8019] error creating ModemManager client: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this
Sep 16 08:31:21 nuc1 kernel: audit: type=1107 audit(1568622681.796:61): pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path=
                              exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'

When executing: sudo nmcli r
[sudo] password for fischer:

(process:3569): nmcli-CRITICAL **: Error: Could not create NMClient object: Could not connect: Permission denied.

the snappy debug output shows

INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
kernel.printk_ratelimit = 0
= AppArmor =
Time: Sep 16 08:40:09
Log: apparmor="DENIED" operation="connect" profile="snap.network-manager.nmcli" name="/run/dbus/system_bus_socket" pid=3500 comm="nmcli" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /run/dbus/system_bus_socket (write)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
^C

This results that I cannot configure network-manager via cli.

Additional information
Linux nuc1 4.15.0-62-generic #69-Ubuntu SMP Wed Sep 4 20:55:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Revision history for this message

Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote on 2019-09-16:

On desktop, not all NM interfaces are auto-connected, you will need to run

$ snap connect network-manager:nmcli

to get rid of the errors. Said this, there *is* a deb package for MM that you can install instead of using snaps:

$ sudo apt install modemmanager

In general, NM/MM snaps are optimized for Ubuntu Core, so in your case it will be probably better to use debs for these concrete services.

Revision history for this message

Hans Ronald Fischer (fischercer) wrote on 2019-09-19:

Thanks for the clarification.

I seems that there are several things in play that lead to misunderstanding.

- The naming of the packages are confusing as the apt version is called `modemmanager` and the snap version modem-manager.
- Snap proposes a package with the name `modem-manager` as there is no package named like this in apt
- When searching with apt there are no matches for 'modem-manager' as it is named differently and in the description does not have this name also.
- When you google it you end up in the documentation of ubuntu core which is not so obvious.

Alfonso Sanchez-Beato (alfonsosanchezbeato) on 2021-01-04

Changed in snappy-hwe-snaps:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.