On 2020-04-11 9:04 p.m., Simon Déziel wrote: > On 2020-04-10 1:16 p.m., Jamie Strandboge wrote: >> The abstraction is meant to cover the client, not systemd internal >> specifics. A client simply accessing that DBus API won't need it and a >> client simply accessing those sockets won't need it. It very well might >> be that a profiled application is using some *ctl command from systemd >> that would need it, but in that case said command would need to be added >> to the policy and the boot-id could be added at that time. > > I don't know as squid, named and samba (to name a few) generate many > denials trying to read /proc/sys/kernel/random/boot_id. None of those > are explicitly trying to use the DynamicUser feature. Could it be just a > side effect of how nsswitch.conf is setup by default? > > $ grep systemd /etc/nsswitch.conf > passwd: files systemd > group: files systemd
This is indeed due to having systemd in the default nsswitch.conf. I've report the problem in LP: #1872564 Simon -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1869024 Title: add support for DynamicUser feature of systemd Status in snapd: In Progress Status in apparmor package in Ubuntu: Fix Released Bug description: systemd offers to create dynamic (and semi-stable) users for services. This causes many services using Apparmor profiles to trigger those denials (even when they don't use the DynamicUser feature): audit: type=1107 audit(1585076282.591:30): pid=621 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=709 label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined" And more recently with systemd 245 this also get shown: audit: type=1400 audit(1585139000.628:39): apparmor="DENIED" operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/" pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Additional information: # lsb_release -rd Description: Ubuntu Focal Fossa (development branch) Release: 20.04 # uname -a Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux # apt-cache policy apparmor squid apparmor: Installed: 2.13.3-7ubuntu2 Candidate: 2.13.3-7ubuntu2 Version table: *** 2.13.3-7ubuntu2 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status squid: Installed: 4.10-1ubuntu1 Candidate: 4.10-1ubuntu1 Version table: *** 4.10-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1869024/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
