libnss-systemd was denied talking to pid1

Bug #1796911 reported by Andreas Hasenack on 2018-10-09
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
High
Jamie Strandboge

Bug Description

cosmic
apparmor 2.12-4ubuntu8
kernel 4.18.0-8-generic #9-Ubuntu

I'm getting these audit messages in dmesg showing apparmor denied errors:
[ 68.649187] audit: type=1107 audit(1539094926.655:32): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1091 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
[ 161.059989] audit: type=1107 audit(1539095018.957:33): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1191 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
[ 437.582034] audit: type=1107 audit(1539095295.553:34): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1534 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
[ 468.184231] audit: type=1107 audit(1539095326.159:35): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1577 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'

I pinged #ubuntu-hardened, and xnox had these comments:
<xnox> ha
<xnox> ahasenack, libnss-systemd was denied talking to pid1
<xnox> to query dynamicusers i think
<xnox> so i think something somehwere need adjustemnt to allow libnss-systemd to talk to pid1 and call GetDynamicUsers
<xnox> LookupDynamicUserByName LookupDynamicUserByUID GetDynamicUsers
<xnox> as well

David Myers (demyers) wrote :

I see very similar errors with strongSwan when the daemon charon is run as non-root:

[119648.278942] audit: type=1107 audit(1540071113.311:674): pid=806 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=26066 label="/usr/lib/ipsec/charon" peer_pid=1 peer_label="unconfined"

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.13.3-7ubuntu4

---------------
apparmor (2.13.3-7ubuntu4) focal; urgency=medium

  * debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to
    RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it
    (LP: #1871148)
  * libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets
    and DBus APIs. Patch partially based on work by Simon Deziel.
    (LP: #1796911, LP: #1869024)
  * upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient:
    allow reading /etc/krb5.conf.d/
  * upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading
    per-user themes from $XDG_DATA_HOME (Closes: #930031)
  * upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access
    to top-level ecryptfs directories (LP: #1848919)
  * upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access
    to /run/uuidd/request
  * upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the
    kernel supports the i915 perf interface. Patch from Debian

 -- Jamie Strandboge <email address hidden> Mon, 06 Apr 2020 17:47:20 +0000

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers