[pkg-apparmor] Bug#962405: /proc/sys/kernel/random/boot_id DENIED

Alan Sermons alan-debian at mobileinternetteashop.co.uk
Wed Jun 10 11:15:11 BST 2020 

Package: apparmor
Version: 2.13.4-1+b1
Followup-For: Bug #962405

Dear Maintainer,

Complete apparmor novice here, so I'm not the best person to troubleshoot
things (but I'm willing to learn)...

Although I have a previous version of the package, I have had similar issues. I
had a look at the Ubuntu bug listed and had a look at the upstream files. There
is a reference to the abstractions/nameservice file at
https://gitlab.com/apparmor/apparmor/-/blob/apparmor-2.13/profiles/apparmor.d/abstractions/nameservice#L35
(included below). I found that adding the last of the three rules, listed in
that block, into local/usr.sbin.cupsd solved the recurring messages.

I hadn't realised, but I was having similar problems with freshclam, so when I
put the first and last of the rules into local/usr.bin.freshclam it fixed the
problem. However, the variable declaration wasn't working (I had to modify it
to put in /run specifically).

The cups issue has also been reported as https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=954953 against cups-daemon, but the freshclam one doesn't
appear that I can see.

If you need any other information, I can see what I can do.

Many thanks.

>From upstream abstractions/nameservice
(https://gitlab.com/apparmor/apparmor/-/blob/apparmor-2.13/profiles/apparmor.d/abstractions/nameservice#L35)

  # NSS records from systemd-userdbd.service
  @{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home}
r,
  @{PROC}/sys/kernel/random/boot_id r,




-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  libc6                  2.30-8
ii  lsb-base               11.1.0
ii  python3                3.8.2-3

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles-extra  <none>
ii  apparmor-utils           2.13.4-1+b1

-- debconf information:
  apparmor/homedirs:

More information about the pkg-apparmor-team mailing list