Ubuntu
apparmor package

apparmor needs read access to no-stub-resolv.conf

Bug #2023342 reported by Chris Schanzle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

Description: Ubuntu 22.04.2 LTS
Release: 22.04

apt-cache policy apparmor
apparmor:
  Installed: 3.0.4-2ubuntu2.2
  Candidate: 3.0.4-2ubuntu2.2
apparmor 3.0.4-2ubuntu2.2 amd64

Due to issues with systemd-resolved failing to resolve hosts after a random amount of time, I have

/etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf

Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow read access to the above path, so armored daemons like chrony fail to resolve hostnames when used in their configuration files:

type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/run/NetworkManager/no-stub-resolv.conf" pid=191892 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118 ouid=0^]FSUID="_chrony" OUID="root"

A generalized (non-chrony specific) workaround is:

mkdir /etc/apparmor.d/abstractions/nameservice.d
echo @{run}/NetworkManager/no-stub-resolv.conf r, > /etc/apparmor.d/abstractions/nameservice.d/no-stub
systemctl reload apparmor.service

It seems to be an omission to not have '@{run}/NetworkManager/no-stub-resolv.conf r,' in the default abstractions/nameservice file.

Thanks for your consideration!

Revision history for this message
Chris Schanzle (cschanzle) wrote :

As a first-time bug reporter, would it be more appropriate to file a Debian bug report?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi Chris, thanks for the report.

In this case, reporting to Debian probably wouldn't help much, they're less active than they used to be.

If you're motivated and interested enough, a merge request on https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/nameservice would be fantastic. It'd probably speed the process along nicely.

Thanks

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.