cosmic
apparmor 2.12-4ubuntu8
kernel 4.18.0-8-generic #9-Ubuntu
I'm getting these audit messages in dmesg showing apparmor denied errors:
[ 68.649187] audit: type=1107 audit(1539094926.655:32): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1091 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
[ 161.059989] audit: type=1107 audit(1539095018.957:33): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1191 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
[ 437.582034] audit: type=1107 audit(1539095295.553:34): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1534 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
[ 468.184231] audit: type=1107 audit(1539095326.159:35): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1577 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
I pinged #ubuntu-hardened, and xnox had these comments:
<xnox> ha
<xnox> ahasenack, libnss-systemd was denied talking to pid1
<xnox> to query dynamicusers i think
<xnox> so i think something somehwere need adjustemnt to allow libnss-systemd to talk to pid1 and call GetDynamicUsers
<xnox> LookupDynamicUserByName LookupDynamicUserByUID GetDynamicUsers
<xnox> as well
I see very similar errors with strongSwan when the daemon charon is run as non-root:
[119648.278942] audit: type=1107 audit(154007111 3.311:674) : pid=806 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor= "DENIED" operation= "dbus_method_ call" bus="system" path="/ org/freedesktop /systemd1" interface= "org.freedeskto p.systemd1. Manager" member= "GetDynamicUser s" mask="send" name="org. freedesktop. systemd1" pid=26066 label=" /usr/lib/ ipsec/charon" peer_pid=1 peer_label= "unconfined"