Seeing this problem now with apparmor 2.10.95-4ubuntu3 on yakkety

kernel: [ 38.160420] audit: type=1400 audit(1470204773.635:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 39.076124] audit: type=1400 audit(1470204774.551:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 40.076112] audit: type=1400 audit(1470204775.551:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 41.084971] audit: type=1400 audit(1470204776.560:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 42.097404] audit: type=1400 audit(1470204778.059:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 42.113042] audit: type=1400 audit(1470204778.075:32): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0


** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New

** Tags added: xenial yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: ntp (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

** Changed in: ntp (Ubuntu)
Importance: Undecided => High

** Tags added: bitesize
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

** Changed in: ntp (Ubuntu)
Assignee: (unassigned) => Joshua Powers (powersj)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

** Changed in: apparmor (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

yakkety is no more affected: the "DENIED" apparmor logs are gone now (#1)
and ntpd works as expected.

** Tags removed: yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

dinno99,

Any objection then to closing this as fixed?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

@Joshua

i've just commented about my own initial #1 comment above and the related 'DENIED' logged.
That report is not mine anyway, and the subject is way more wider (as i understand it); and probably needs to check 'possible' "incomplete apparmor definition" as reported.

The OP seems to point some 'dbus' header
Maybe that was a transitional problem on his side; but he has not commented back.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

I'm the initial OP. What am I supposed to do here?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

knz,

I originally, and incorrectly, assumed dinno99 was the OP. If you could
update your xenial install to see if the bug still exists that would be
good. I'll do the same tomorrow.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

@knz, can you verify this still exists on your system and if so:

* Provide the version of ntp and apparmor you are using
* Command or what you do to get the error to show up

I was unable to reproduce on both xenial and yakkety. The versions I had
available to me are below and the only DENIED messages from
/var/log/kern.log are below in each instance when I ran 'sudo ntpd'

yakkety
---
***@ubuntu:/var/log$ dpkg -l | grep ntp
ii ntp 1:4.2.8p8+dfsg-1ubuntu1 amd64 Network Time Protocol daemon and utility programs
***@ubuntu:/var/log$ dpkg -l | grep apparmor
ii apparmor 2.10.95-4ubuntu4 amd64 user-space parser utility for AppArmor

Sep 7 17:44:17 ubuntu kernel: [ 138.147239] audit: type=1400 audit(1473284657.365:17): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=2179 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 7 17:44:17 ubuntu kernel: [ 138.147316] audit: type=1400 audit(1473284657.365:18): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=2179 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


xenial
---
***@xenial:~$ dpkg -l | grep ntp
ii ntp 1:4.2.8p4+dfsg-3ubuntu5.1 amd64 Network Time Protocol daemon and utility programs
***@xenial:~$ dpkg -l | grep apparmor
ii apparmor 2.10.95-0ubuntu2.2 amd64 user-space parser utility for AppA

Sep 7 22:04:18 ubuntu kernel: [ 60.182587] audit: type=1400 audit(1473285858.665:15): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=3265 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 7 22:04:18 ubuntu kernel: [ 60.182675] audit: type=1400 audit(1473285858.665:16): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=3265 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

** Changed in: ntp (Ubuntu)
Status: Confirmed => Incomplete

** Changed in: apparmor (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

I am suffering from a similar issue, but with slightly different
behavior

<pre>
# journalctl -u ntp
Oct 11 10:23:29 lys-stats ntp[5670]: * Starting NTP server ntpd
Oct 11 10:23:29 lys-stats ntpd[5681]: ntpd ***@1.3265-o Wed Oct 5 12:34:45 UTC 2016 (1): Starting
Oct 11 10:23:29 lys-stats ntp[5670]: ...done.
Oct 11 10:23:29 lys-stats systemd[1]: Started LSB: Start NTP daemon.
Oct 11 10:23:29 lys-stats ntpd[5683]: proto: precision = 0.091 usec (-23)
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict 0.0.0.0: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict ::: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 0 v6wildcard [::]:123
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Oct 11 10:23:29 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error:
Oct 11 10:23:29 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
Oct 11 10:23:29 lys-stats ntpd[5683]: unable to open routing socket (Permission denied) - using polled interface up
Oct 11 10:23:31 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error:
Oct 11 10:23:31 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
# dmesg -T
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.696:24): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:25): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:26): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:31 2016] audit: type=1400 audit(1476174211.356:27): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
# apt-cache policy apparmor
apparmor:
Installed: 2.10.95-0ubuntu2.2
Candidate: 2.10.95-0ubuntu2.2
Version table:
*** 2.10.95-0ubuntu2.2 500
500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.10.95-0ubuntu2 500
500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# apt-cache policy ntp
ntp:
Installed: 1:4.2.8p4+dfsg-3ubuntu5.3
Candidate: 1:4.2.8p4+dfsg-3ubuntu5.3
Version table:
*** 1:4.2.8p4+dfsg-3ubuntu5.3 500
500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
1:4.2.8p4+dfsg-3ubuntu5 500
500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# cat /etc/ntp.conf
tinker panic 0
disable monitor
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server pool.ntp.org iburst
driftfile /var/lib/ntp/drift
# cat /etc/apparmor.d/usr.sbin.ntpd
# vim:syntax=apparmor
# Updated for Ubuntu by: Jamie Strandboge <***@canonical.com>
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>

capability ipc_lock,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
capability sys_time,
capability sys_nice,

# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
network dgram,
network stream,

@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{NTPD_DEVICE} rw,
# pps devices are almost exclusively used with NTP
/dev/pps[0-9]* rw,

/{,s}bin/ r,
/usr/{,s}bin/ r,
/usr/sbin/ntpd rmix,

/etc/ntp.conf r,
/etc/ntp.conf.dhcp r,
/etc/ntpd.conf r,
/etc/ntpd.conf.tmp r,
/var/lib/ntp/ntp.conf.dhcp r,

/etc/ntp.keys r,
/etc/ntp/** r,

/etc/ntp.drift rwl,
/etc/ntp.drift.TEMP rwl,
/etc/ntp/drift* rwl,
/var/lib/ntp/*drift rw,
/var/lib/ntp/*drift.TEMP rw,

/var/log/ntp w,
/var/log/ntp.log w,
/var/log/ntpd w,
/var/log/ntpstats/clockstats* rwl,
/var/log/ntpstats/loopstats* rwl,
/var/log/ntpstats/peerstats* rwl,
/var/log/ntpstats/protostats* rwl,
/var/log/ntpstats/rawstats* rwl,
/var/log/ntpstats/sysstats* rwl,

/{,var/}run/ntpd.pid w,

# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,

# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
# for details. To enable, add this to local/usr.sbin.ntpd:
# capability ipc_owner,

# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.ntpd>
}
# uname -rpv
4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64
</pre>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
incomplete apparmor definition for ntpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions

I can reproduce this in yakkety with ntp 1:4.2.8p8+dfsg-1ubuntu2 and
apparmor 2.10.95-4ubuntu5. It is due to Yakkety's use of systemd-
resolved, which is used by the nss-resolve plugin to resolve hostnames.

** Summary changed:

- incomplete apparmor definition for ntpd
+ AppArmor nameservice abstraction doesn't allow communication with systemd-resolve
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

The correct fix for this issue is in AppArmor's nameservice abstraction.
Marking the ntp task as invalid as there's no change needed for the ntp
package itself.

** Changed in: ntp (Ubuntu)
Status: Incomplete => Invalid

** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: apparmor (Ubuntu)
Status: Incomplete => Triaged

** Also affects: apparmor
Importance: Undecided
Status: New

** Summary changed:

- AppArmor nameservice abstraction doesn't allow communication with systemd-resolve
+ AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

** Changed in: apparmor
Status: New => In Progress

** Changed in: apparmor
Importance: Undecided => High

** Changed in: apparmor
Assignee: (unassigned) => Tyler Hicks (tyhicks)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

Fix sent upstream for review:
https://lists.ubuntu.com/archives/apparmor/2016-October/010130.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

I forgot to mention what brought me to this bug. I am seeing this denial
when running tcpdump in Ubuntu Yakkety:

apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump"
name="/run/dbus/system_bus_socket" pid=25098 comm="tcpdump"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

After pulling the dbus-strict abstraction into the tcpdump profile, I
then see this denial:

pid=2204 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
operation="dbus_method_call" bus="system"
path="/org/freedesktop/resolve1"
interface="org.freedesktop.resolve1.Manager" member="ResolveAddress"
mask="send" name="org.freedesktop.resolve1" pid=25438
label="/usr/sbin/tcpdump" peer_pid=2471 peer_label="unconfined"

My proposed fix grants access to the ResolveAddress, ResolveHostname,
ResolveRecord, and ResolveService methods of the D-Bus API.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

** Description changed:

+ [ Impact ]
+
+ Processes confined by AppArmor profiles making use of the nameservice
+ AppArmor abstraction are unable to access the systemd-resolved network
+ name resolution service. The nsswitch.conf file shipped in Yakkety puts
+ the nss-resolve plugin to use which talks to systemd-resolved over
+ D-Bus. The D-Bus communication is blocked for the confined processes
+ described above and those processes will fallback to the traditional
+ means of name resolution.
+
+ [ Test Case ]
+
+ * Use ntpd to test:
+ $ sudo apt-get install -y ntp
+ ...
+ $ sudo systemctl stop ntp
+
+ # in another terminal, watch for AppArmor denials
+ $ dmesg -w
+
+ # in the original terminal, start ntp
+ $ sudo systemctl start ntp
+
+ # You'll see a number of denials on the system_bus_socket file:
+ audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0
+
+ * Use tcpdump to test:
+
+ # Capture traffic on whichever network interface you're currently using
+ $ sudo tcpdump -i eth0
+
+ # Look in /var/log/syslog for denials on the system_bus_socket file:
+ audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
+
+ In both situations, ntpd and tcpdump will seemingly work as expected due
+ to the name resolution fallback configured in nsswitch.conf. However,
+ neither confined process will be using systemd-resolved for name
+ resolution.
+
+ [ Regression Potential ]
+
+ This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined-
+ by-default programs to start using systemd-resolved. There is some
+ potential for regression since those applications have not been
+ previously using systemd-resolved.
+
+ [ Original bug description ]
+
On this plain install of Xenial apparmor complains about ntpd:

[ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 22.426246] audit: type=1400 audit(1467623333.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 22.771326] audit: type=1400 audit(1467623333.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0

Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the
problem:

- #include <abstractions/dbus-strict>
+     #include <abstractions/dbus-strict>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

@Tyler

comment about the #14 above

i've reported against the 'kernel' the same issue output (but linux
could be the false package; i'm not sure at all)

Bug #1628835
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

Hello knz, or anyone else affected,

Accepted apparmor into yakkety-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-4ubuntu5.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Also affects: ntp (Ubuntu Yakkety)
Importance: High
Assignee: Joshua Powers (powersj)
Status: Invalid

** Also affects: apparmor (Ubuntu Yakkety)
Importance: High
Assignee: Tyler Hicks (tyhicks)
Status: Triaged

** Changed in: apparmor (Ubuntu Yakkety)
Status: Triaged => Fix Committed

** Tags added: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

This change looks to be working as expected. I've done the manual
verification in the bug description and I've also went through the
desktop/server related portions of
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor.

** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

We've decided not to merge this patch in the upstream AppArmor project
at this time because most distros don't have the ability to perform
fine-grained mediation of D-Bus communications and this change would
grant full system bus access to network-facing daemons in those distros.

** Changed in: apparmor
Status: In Progress => Triaged

** Changed in: apparmor
Assignee: Tyler Hicks (tyhicks) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

** Tags added: aa-policy
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1

---------------
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium

* debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
profiles that make use of the nameservice abstraction should be allowed to
communicate with systemd-resolved over D-Bus. Ubuntu 16.10 systems are
configured to use nss-resolve which then communicates with
systemd-resolved's D-Bus API. (LP: #1598759)

-- Tyler Hicks <***@canonical.com> Wed, 12 Oct 2016 01:47:06 +0000

** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

The verification of the Stable Release Update for apparmor has completed
successfully and the package has now been released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report. In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1

---------------
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium

* debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
profiles that make use of the nameservice abstraction should be allowed to
communicate with systemd-resolved over D-Bus. Ubuntu 16.10 systems are
configured to use nss-resolve which then communicates with
systemd-resolved's D-Bus API. (LP: #1598759)

-- Tyler Hicks <***@canonical.com> Wed, 12 Oct 2016 01:47:06 +0000

** Changed in: apparmor (Ubuntu Yakkety)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

** Changed in: apparmor
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

This isn't fixed in AppArmor upstream. As an upstream, we decided
against taking in this policy update until the patches to perform D-Bus
mediation have landed in the upstream kernel. Without those patches,
we'd be granting full access to the D-Bus system bus socket from the
very commonly used namespace abstraction.

** Changed in: apparmor
Status: Fix Released => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

Still present for me

[176007.813051] audit: type=1400 audit(1486720189.738:122):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=14715 comm="EvJobScheduler"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

[179389.232131] audit: type=1400 audit(1486723571.310:133):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=17305 comm="evince"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION="Ubuntu 16.10"

Not sure if it affects something.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

Still true for Zesty.

** Tags added: zesty
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

FWIW current Ubuntu citrain branch seems to apply exactly the same patch
twice for some reason:

debian/patches/adjust-nameservice-for-systemd-resolved.patch
debian/patches/profiles-grant-access-to-systemd-resolved.patch

Not sure what's going on, but anyway we don't apply this patch in Debian
so this only affects the Ubuntu-specific bits of the packaging.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

@intrigeri - you're right. I'll fix this in the citrain branch and in
2.11.0-2ubuntu14.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

[175882.466186] audit: type=1400 audit(1503640503.535:62):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=7704 comm="evince"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

Same here (17.04)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
AppArmor nameservice abstraction doesn't allow communication with
systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions