Currently there isn't a good way to set the flags on a profile without
editing the local copy. There is an overlay mechanism coming, but it has
not landed yet. There is also another mechanism for dealing with
disconnected object coming. But until these extensions land there is a
way to do local pro
I have the same error:
2025-02-23T00:00:25.676547+02:00 lb2 kernel: audit: type=1400
audit(1740261625.675:8978082): apparmor="DENIED" operation="sendmsg"
class="file" info="Failed name lookup - disconnected path" error=-13 profile="r
syslogd" name="var/lib/haproxy/dev/log" pid=672902 comm="hapro
I'm seeing this in haproxy.
```
2025-02-08T21:37:49.789984-05:00 f kernel: audit: type=1400
audit(1739068669.788:18597): apparmor="DENIED" operation="sendmsg" class="file"
info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd"
name="var/lib/haproxy/dev/log" pid=214622 comm=
omprog is quite hard to confine correctly in a way that is still usable
for all cases. Whatever you do, it would be best to deal with local
overrides, and not change the main profile shipped by the rsyslog
package.
That being said, I don't know of a way to override the flag: the current
override m
Fun stuff. Got bitten by this for rsyslogd now.
LibreNMS has an rsyslog config to log through its syslog.php:
if $syslogpriority < 7 then action(type="omprog"
binary="/srv/librenms/syslog.php" template="librenms")
That should be easy to allow:
/usr/bin/php* ix,
/usr/bin/stty ix,
/etc/ph
Gábor, systemd is well-meaning in providing namespacing features so the
thousands of daemons that are in the world don't have to re-implement
something similar. But of course the kernel hook points used by AppArmor
don't provide sufficient information to know what pathname to
reconstruct when the n
Same problem with powerdns, I can't run it with apparmor profile,
because it complains:
operation="sendmsg" info="Failed name lookup - disconnected path"
error=-13 profile="/usr/sbin/pdns_server" name="run/systemd/journal/dev-
log" pid=17236 comm="pdns_server" requested_mask="w" denied_mask="w"
fs
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: rsyslog (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1373070
Title:
fu
possibly. There isn't actually enough information in that bug to be sure
if it is an actual namespacing issue or it is a separate bug to do with
unix domain sockets.
Unfortunately the workaround of attach_disconnect is still required to
deal with these issues.
--
You received this bug notificati
Hi,
I think bug 1594202 is another data point for this:
Jun 20 01:49:24 omicron kernel: [ 962.491873] audit: type=1400
audit(1466380164.941:90): apparmor="ALLOWED" operation="sendmsg"
info="Failed name lookup - disconnected path" error=-13
profile="/usr/lib/dovecot/log" name="run/systemd/journal/d
Actually the dovecot profiles are in apparmor and not dovecot source
packages - so it would be an apparmor task then.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1373070
Title:
full fix for discon
Correct.
There are actually several ways to get disconnected paths and this
specific one is being caused by the new file ns. The proper fix for this
is delegating access to the object that would not normally be
accessible, however delegation is not available in the current releases
of apparmor and
Okay, so, I had more time to dig a bit into this and, after some
analysis, I got:
Errors being reproduced:
[1668392.078137] audit: type=1400 audit(1459311786.129:1375455):
apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/sbin/dnsmasq" nam
Yep, you're right. It was getting /dev/log from abstractions/base for
write only. My bad.
Though,
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373070/comments/6
Shows same issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubun
Though,
For comments:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373070/comments/7
If you remove /dev/log rwx from /etc/apparmor.d/usr.sbin.rsyslog :
Using kernel Ubuntu-3.13.x DOES NOT show any DENIALS (Ubuntu-3.16,
Ubuntu-3.19 and Ubuntu-4.2 HWE kernels shows).
Using upstream kern
As expected, that's a totally different issue.
Please add
/dev/log r,
to your rsyslogd profile.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1373070
Title:
full fix for disconnected path (path
I am able to reproduce this just by having apparmor.d profile
usr.sbin.rsyslogd removed from disable/ directory.
[ 674.165128] audit: type=1400 audit(1456491880.616:134): apparmor="DENIED"
operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3639
comm="dhclient" requested_mask="
Pavel, Déziel,
Im reproducing the same issue with dnsmasq + openstack + neutron:
Feb 16 18:35:01 juju-inaddy-machine-12 kernel: [ 4357.680900] audit:
type=1400 audit(1455647701.796:121): apparmor="DENIED"
operation="sendmsg" info="Failed name lookup - disconnected path"
error=-13 profile="/usr/sb
I'm affected by this bug too at Trusty + Vivid HWE
# lsb_release -rd
Description:Ubuntu 14.04.3 LTS
Release:14.04
# uname -a
Linux amanda 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:25:23 UTC
2015 i686 i686 i686 GNU/Linux
# dpkg -l | grep linux-image-generic
ii linux-ima
** Also affects: rsyslog (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1373070
Title:
full fix for disconnected path (paths)
To manage notificat
To add one more data point, my Trusty server using the Utopic HWE kernel
also exhibits the problem:
May 21 12:27:28 xeon kernel: [95104.918686] audit: type=1400
audit(1432225648.230:57): apparmor="DENIED" operation="sendmsg"
info="Failed name lookup - disconnected path" error=-13
profile="/usr/sbi
This bug was fixed in the package cups - 1.7.5-3ubuntu1
---
cups (1.7.5-3ubuntu1) utopic; urgency=medium
* debian/local/apparmor-profile:
- fix peer on signal rule to use /usr/sbin/cupsd//third_party
(LP: #1376611)
- temporarily use attach_disconnected to work around L
** Changed in: cups (Ubuntu)
Status: New => In Progress
** Changed in: cups (Ubuntu)
Importance: Undecided => High
** Changed in: cups (Ubuntu)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Ubuntu
Bugs, whi
I'm going to need to add attach_disconnected to the cups profile as a
temporary workaround. When this bug is fixed, we need to undo that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1373070
Title:
Here is another:
Sep 10 09:06:00 callisto kernel: audit: type=1400 audit(1410332760.203:112):
apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected
path" error=-13 profile="/usr/sbin/cupsd" name="run/dbus/system_bus_socket"
pid=3608 comm="cupsd" requested_mask="rw" denied
25 matches
Mail list logo
