Hello, (cross-posting to the referenced bug so that the information appears in both bugs)
Am Dienstag, 17. Oktober 2023, 14:18:43 CEST schrieb Anton Ivanov:
> The default profile denies network functionality and it breaks
> man and other software which has an apparmor profile. They stop
> working on NFS.
>
> For an example see Debian bug 1054115
>
> While it is possible to solve it on a case by case basis, the
> right bugfix is to check if root and/or /usr are on NFS and
> load an extra profile to allow network access.
>
> Alternatively, the kernel should stop treating network filesystem
> access as network access for apparmor purposes. That, however,
> is likely to a be a bit difficult.
[...]
> Kernel: Linux 5.10.0-22-amd64 (SMP w/12 CPU threads)
This issue was fixed in kernel 6.0 [1] - which means your 5.10.0 kernel
is too old and doesn't contain the fix yet.
Unfortunately I don't know the exact commit, or how hard it would be to
backport the fix to an older kernel. (If you are interested in
backporting, I'd recommend to ask John Johansen for details.)
If upgrading to a newer kernel is not an option, a possible workaround
is to add
network inet stream,
network inet6 stream,
to the affected profile or an abstraction - or to abstractions/base if you
really want it in all profiles.
Note: These two rules allow _all_ TCP/IP network access, not only NFS.
Also note that abstractions/nameservice already contains these two rules
(for DNS resolution etc.), so this workaround is already accidentally in
place in some profiles ;-)
Regards,
Christian Boltz
[1] see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499
comment 13
--
Having presentation after lunch break when sun is shinning really sucks.
[Josef Reidinger in yast-devel]
signature.asc
Description: This is a digitally signed message part.
