Nameservice abstraction should also include /var/run/resolvconf/resolv.conf

Bug #132468 reported by David McBride
4
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: apparmor

The Nameservice abstraction configuration file (/etc/apparmor.d/abstractions/nameservice) permits reads access to (amongst other paths) /etc/resolv.conf.

However, on systems using resolvconf, this is a symbolic link to /etc/resolvconf/run/resolv.conf -- where /etc/resolvconf/run itself is a symlink to /var/run/resolvconf.

Apparmor does not follow symlinks; as a result, apparmor'd applications which include the nameservice abstraction in their policy definition are unable to read /var/run/resolvconf/resolv.conf.

This is a bug, and (for example) breaks CUPS.

Adding /var/run/resolvconf/resolv.conf to /etc/apparmor.d/abstractions/nameservice corrects this problem. This should probably become the default.

Related branches

Mathias Gug (mathiaz)
Changed in apparmor:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Steve Beattie (sbeattie) wrote :

I've added /var/run/resolvconf/resolv.conf to the upstream nameservice abstraction (svn rev 904).

Revision history for this message
Bohdan Kmit' (mit) wrote :

For bind9 proper operation with resolvconf package installed we also need to add
"/var/run/bind/named.options" to "/etc/apparmor.d/usr.sbin.named" profile.

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 132468] Re: Nameservice abstraction should also include /var/run/resolvconf/resolv.conf

Thanks for your report. I've added the file to the named profile.

Revision history for this message
Mathias Gug (mathiaz) wrote :

apparmor (2.1+961-0ubuntu1) gutsy; urgency=low

  * New upstream version.
    * Support resolvconf. Fix LP: #132468.
  * Move package maintainance to bzr:
    * Apply all patches directly into the tree with dpatch apply-all.
    * debian/patches/: remove all patches as they are applied inline now.
    * debian/control, debian/control.modules.in: remove dpatch from
      Build Depends.
    * debian/rules:
      * remove dpatch include.
      * remove patch and unpatch dependencies
  * debian/control:
    * Rename libapparmor-dev to libapparmor1-dev.
      Add Provides: and Conflict: tags.
    * Remove universe component in Section tag.
    * Remove apparmor-utils depends on bsdutils.
    * Update apparmor-modules Recommends to apparmor-modules-2.1.
  * utils/:
    * Add audit man page.
  * Fix mod_appamor library: remove rpath info.
    * debian/rules: remove rpath info.
    * debian/control: add chrpath as a build dependency.
  * Remove apparmor-modules-source package:
    * debian/conrol: remove apparmor-modules-source package.
    * debian/apparmor.postinst, debian/apparmor.preinst,
      debian/apparmor.prerm: remove error_handler function.
    * debian/rules: remove error_handler option from dh_installinit.
    * debian/apparmor-modules-_KVERS_.postinst.modules.in,
      debian/control.modules.in: remove control and postinst files.

 -- Mathias Gug <email address hidden> Tue, 11 Sep 2007 10:44:56 -0400

Changed in apparmor:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers