debcrafters-packages team mailing list archive

[Seth Arnold <2123821@xxxxxxxxxxxxxxxxxx>]

One aspect of AppArmor IPC mediation is a "crosscheck" that requires a
sending domain to have policy to allow sending and also requires the
receiver to have policy to allow receiving. If either one fails, then
the operation is failed as early as possible. (I'm not entirely sure how
I would expect it to show up in the logs when they aren't in the same
namespace, but this feels about what I would expect.)

Perhaps the Unix Domain Socket changes in newer versions of AppArmor
require changes to the policy? I have a vague memory that previous
versions of AppArmor allow file rules to give access to unix domain
sockets in the filesystem but newer versions of AppArmor require
explicit unix rules. (Worse yet, don't know what to add to the rsyslog
policy to allow this access.)

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2123821

Title:
  bad restriction: apparmor="DENIED" [...] namespace="root//lxd-n_<var-
  snap-lxd-common-lxd>" profile="rsyslogd"
  name="/run/systemd/journal/dev-log"

Status in apparmor package in Ubuntu:
  New
Status in rsyslog package in Ubuntu:
  Confirmed

Bug description:
  On my Questing system running LXD containers, my kernel log is full of
  messages like:

  [  129.551382] audit: type=1400 audit(1757925628.229:1005):
  apparmor="DENIED" operation="sendmsg" class="file"
  namespace="root//lxd-q_<var-snap-lxd-common-lxd>" profile="rsyslogd"
  name="/run/systemd/journal/dev-log" pid=5370 comm="systemd-journal"
  requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

  One of my containers is named "q", hence the "root//lxd-q...". Some
  actual functionality is likely broken in the container.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123821/+subscriptions