Ubuntu
snapd package

apparmor stays active even when the service is disabled

Bug #1878814 reported by Owen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
In Progress
Medium
Unassigned
Ubuntu focal-updates

Bug Description

Trying to access a fresh install of MySQL, what a complete pain that is!! I installed mysql-workbench-community from the app store. Attempts to access the database with user root were rebuffed by an AppArmor error about permissions.

Running aa-status I could see the app in the enforce category, so I made many attempts to move it to complain, but this failed and I'll file a bug report about that as well.

I decided to disable both the apparmor and ufw service.

However, the AppArmor permissions error dialog continue to appear and it's not possible to access the database.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: apparmor 2.13.3-7ubuntu5
ProcVersionSignature: Ubuntu 5.4.0-29.33-generic 5.4.30
Uname: Linux 5.4.0-29-generic x86_64
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Fri May 15 09:40:01 2020
InstallationDate: Installed on 2020-03-10 (65 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200306)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.4.0-29-generic root=UUID=d73f3324-549c-4a63-b2bd-f813366411ac ro quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:
 May 15 09:38:16 owen-AOD255 dbus-daemon[1118]: [session uid=125 pid=1118] AppArmor D-Bus mediation is enabled
 May 15 09:39:00 owen-AOD255 dbus-daemon[1762]: [session uid=1000 pid=1762] AppArmor D-Bus mediation is enabled
 May 15 09:39:04 owen-AOD255 dbus-daemon[2353]: [session uid=125 pid=2353] AppArmor D-Bus mediation is enabled
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Owen (osavill-z) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'm not familiar with mysql-workbench-community, but looking at the logs I see:

May 14 17:44:33 owen-AOD255 kernel: [ 181.312508] audit: type=1400 audit(1589474673.710:1024): apparmor="DENIED" operation="connect" profile="snap.mysql-workbench-community.mysql-workbench-community" name="/run/uuidd/request" pid=3579 comm="mysql-workbench" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

This issue was fixed in a recent commit to snapd, but it hasn't reached the stable channel yet (it should be in snapd 2.45). You can either:

* 'sudo snap install --devmode mysql-workbench-community' to work around the issue and put apparmor into complain mode
* 'sudo snap refresh snapd --edge' to pull in the edge build of snapd which has the fix

If choosing the former, when 'snap version' reports 2.45, you can install the snap in strict mode (omit --devmode). If the latter, when 'snap info snapd' reports that 2.45 is in the stable channel, run 'sudo snap refresh snapd --stable' to start tracking stable again.

This is not a bug in apparmor, but instead snapd. Triaging the bug as such.

affects: apparmor (Ubuntu) → snapd (Ubuntu)
Changed in snapd (Ubuntu):
importance: Undecided → Medium
milestone: none → focal-updates
status: New → In Progress
Revision history for this message
Owen (osavill-z) wrote :

Hi Jamie, many thanks for the detailed response about snapd

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.