Ubuntu
lightdm package

Bug #1921655
Comment #0

Comment 0 for bug 1921655

Revision history for this message

Jonas Wiegert (it-jonas) wrote on 2021-03-29:

Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon).

Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/setgroups
Denied: w
Logfile: /var/log/kern.log

Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/gid_map
Denied: w
Logfile: /var/log/kern.log

Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8624/fd/
Denied: r
Logfile: /var/log/kern.log
```
### dmesg:
```
[ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0
[ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0
[ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c"
```
## Solutions:
### bad but common work around
Solutions I found in different forums were to move lightdm-guest-session into complain mode like this:
`aa-complain /usr/lib/lightdm/lightdm-guest-session`
### maybe better sollution:
My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`:
```
...
/usr/lib/lightdm/lightdm-guest-session {
...
owner /run/user/[0-9]*/ICEauthority-? l,`
...
}
```
I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future.

Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon).

## How to reproduce:
 - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected.
 - enable guest user session
 - try to login as guest user
## Error logs:
### Error Message:
` Could not update file ICEauthority file /run/user/XXX/ICEauthority`
### aa-notify:
``` 
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/uid_map
Denied: w
Logfile: /var/log/kern.log
 
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/setgroups
Denied: w
Logfile: /var/log/kern.log
 
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/gid_map
Denied: w
Logfile: /var/log/kern.log
 
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8624/fd/
Denied: r
Logfile: /var/log/kern.log
```
### dmesg:
```
[  218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999  #ouid=0
[ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0
[ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c"
```
## Solutions:
### bad but common work around
Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: 
`aa-complain /usr/lib/lightdm/lightdm-guest-session`
### maybe better sollution:
My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`:
```
...
/usr/lib/lightdm/lightdm-guest-session {
...
  owner /run/user/[0-9]*/ICEauthority-? l,`
...
}
```
I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future.

Ubuntulightdm package

Comment 0 for bug 1921655

Ubuntu
lightdm package