Ubuntu
chrony package

  1. Bug #1869629
  2. Comment #3

Comment 3 for bug 1869629

Revision history for this message
Christian Ehrhardt  (paelzer) wrote : Re: AppArmor denied access to /etc/mdns.allow to cronyd

Hi,
/etc/apparmor.d/usr.sbin.chronyd has

  #include <abstractions/nameservice>

And thereby should have:
/etc/apparmor.d/abstractions/nameservice: #include <abstractions/mdns>

Which in turn defines:
/etc/apparmor.d/abstractions/mdns: # mdnsd
/etc/apparmor.d/abstractions/mdns: /etc/nss_mdns.conf r,
/etc/apparmor.d/abstractions/mdns: /{,var/}run/mdnsd w,

There is no mdns.allow but if that is a common thing for mdns we should add the rule.
The file belongs to apparmor itself and I think that abstraction would need a fix:
  apparmor: /etc/apparmor.d/abstractions/mdns

It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow

Therefore this bug IMHO is actually: "please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns"

I'll modify it accordingly, but please speak up if you disagree.

Since this potentially hits any apparmor isolated application using nameservices I'd mark it as critical until the security Team explains why it is not. OTOH such a one line addition should be easily done in apparmor.