[pkg-apparmor] Bug#904040: openntpd: Apparmor denies logging
Seth Arnold
seth.arnold at canonical.com
Thu Jul 19 01:04:06 BST 2018
On Wed, Jul 18, 2018 at 08:05:29PM -0300, Dererk wrote:
> I was reported about a bug on the way an apparmor profile behaves.
> It appears to me that this issue might be tightly related to the way
> apparmor is compiled on Ubuntu, since all my attempts to find similar
> reports get isolated to Ubuntu's reports and bug fixes.
>
> Would you be kind in advice on how to proceed with this? Is this possible to
> be hit on Debian installations? If its not, Is it safe to apply it on Debian
> without backfiring?
Hello Dererk,
This is not unique to systemd, nor Ubuntu; any time a process may use a
file descriptor that refers to a file that does not exist in the process's
mount namespace, whether via explicit namespace use, or chroot, or being
passed descriptors across an exec or Unix domain socket.
Systemd just makes these cases really easy to recreate.
The flags=(attach_disconnected) fix is safe to apply; we don't use it
as a default setting because we'd really like to have a better solution
in the long run. But if you're currently not logging due to this issue, or
the program fails to run at all because it cannot log, then waiting for a
better solution is far from ideal.
> On 18/07/18 14:06, Stefano Rivera wrote:
> > AppArmor denies openntpd access to syslog:
> > > [1690592.258663] audit: type=1400 audit(1531921190.778:1052): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=2708 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
> > This seems to be a known issue with apparmor + systemd
> > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373070
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20180718/a300fd6f/attachment.sig>
More information about the pkg-apparmor-team
mailing list