Public bug reported:
Hello,
I have a job scheduled via an in-house task scheduler(using cron).
The task runs perfectly when it's run manually.
But fails when run on the cron.
The root user is used to run the task in both scenarios(Manually and
Cron).
We get the below apparmor denial when the task fails.
type=AVC msg=audit(1694139115.620:2843): apparmor="DENIED" operation="open"
info="Failed name lookup - disconnected path" error=-13
profile="/etc/opt/AntiVir
us/AntiVirus"
name="docker/lib/overlay2/3b9cad843afb801cac4e4db319b1a764bd2387d2351cedfb1a4da23bcfa6ff6a/diff"
pid=30238 comm="clamscan" requested_mask="r" d
enied_mask="r" fsuid=0 ouid=0^]FSUID="root" OUID="root"
After we add the above denial in the respective profile the task runs
seamlessly via cron as well.
I would like to understand what could be the cause of this denial.
Because in both scenarios we have the same process as well as the same scripts.
We are using Debian 10. We have updated the packages i.e., apt-get update to
the latest.
Also, I added the env command to check the environments used in both
scenarios..and below is the output.
When run manually:
=========================
SHELL=/bin/bash
SUDO_GID=33
SUDO_COMMAND=su -s /bin/bash -c python3 -m script.sched_exec --exec --task-id
1234 >/dev/null 2>&1 root
SUDO_USER=www-data
PWD=/
LOGNAME=root
_=/usr/bin/env
APACHE_LOG_DIR=/var/log/apache2
HOME=/root
USERNAME=root
LANG=en_US.UTF-8
APACHE_PID_FILE=/var/run/apache2/apache2.pid
USER=root
APACHE_RUN_GROUP=www-data
APACHE_LOCK_DIR=/var/lock/apache2
SHLVL=2
APACHE_RUN_DIR=/var/run/apache2
APACHE_RUN_USER=www-data
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
SUDO_UID=33
MAIL=/var/mail/root
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
When the task is run, as per task scheduler(cron) below env is used:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SHELL=/bin/sh
PWD=/root
LOGNAME=root
_=/usr/bin/env
HOME=/root
LANG=en_US.UTF-8
SHLVL=1
MAILTO=
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
There is a difference if env...
So we wanted to understand the apparmor denial that came here..
Could you guys help us here ?
Regards,
Shaheena K
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2035090
Title:
AppArmor Denials when running a task via cron
Status in apparmor package in Ubuntu:
New
Bug description:
Hello,
I have a job scheduled via an in-house task scheduler(using cron).
The task runs perfectly when it's run manually.
But fails when run on the cron.
The root user is used to run the task in both scenarios(Manually and
Cron).
We get the below apparmor denial when the task fails.
type=AVC msg=audit(1694139115.620:2843): apparmor="DENIED" operation="open"
info="Failed name lookup - disconnected path" error=-13
profile="/etc/opt/AntiVir
us/AntiVirus"
name="docker/lib/overlay2/3b9cad843afb801cac4e4db319b1a764bd2387d2351cedfb1a4da23bcfa6ff6a/diff"
pid=30238 comm="clamscan" requested_mask="r" d
enied_mask="r" fsuid=0 ouid=0^]FSUID="root" OUID="root"
After we add the above denial in the respective profile the task runs
seamlessly via cron as well.
I would like to understand what could be the cause of this denial.
Because in both scenarios we have the same process as well as the same
scripts.
We are using Debian 10. We have updated the packages i.e., apt-get update to
the latest.
Also, I added the env command to check the environments used in both
scenarios..and below is the output.
When run manually:
=========================
SHELL=/bin/bash
SUDO_GID=33
SUDO_COMMAND=su -s /bin/bash -c python3 -m script.sched_exec --exec --task-id
1234 >/dev/null 2>&1 root
SUDO_USER=www-data
PWD=/
LOGNAME=root
_=/usr/bin/env
APACHE_LOG_DIR=/var/log/apache2
HOME=/root
USERNAME=root
LANG=en_US.UTF-8
APACHE_PID_FILE=/var/run/apache2/apache2.pid
USER=root
APACHE_RUN_GROUP=www-data
APACHE_LOCK_DIR=/var/lock/apache2
SHLVL=2
APACHE_RUN_DIR=/var/run/apache2
APACHE_RUN_USER=www-data
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
SUDO_UID=33
MAIL=/var/mail/root
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
When the task is run, as per task scheduler(cron) below env is used:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SHELL=/bin/sh
PWD=/root
LOGNAME=root
_=/usr/bin/env
HOME=/root
LANG=en_US.UTF-8
SHLVL=1
MAILTO=
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
There is a difference if env...
So we wanted to understand the apparmor denial that came here..
Could you guys help us here ?
Regards,
Shaheena K
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035090/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
