FS#65777 - [apparmor] /run/systemd/userdb read access requested by random apps such as ntpd and avahi-daemon

Attached to Project: Arch Linux
Opened by Vinícius dos Santos Oliveira (vinipsmaker) - Wednesday, 11 March 2020, 01:37 GMT
Last edited by David Runge (dvzrv) - Thursday, 23 April 2020, 18:07 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To David Runge (dvzrv)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

This problem happens since systemd 245

Here is a sample log:

type=AVC msg=audit(1583883237.394:83): apparmor="DENIED" operation="open" profile="avahi-daemon" name="/run/systemd/userdb/" pid=1100 comm="avahi-daemon" requested_mask="
r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1583883239.157:103): apparmor="DENIED" operation="open" profile="ntpd" name="/run/systemd/userdb/" pid=1393 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

File /etc/apparmor.d/usr.sbin.ntpd should be modified to have access to /run/systemd/userdb?
This task depends upon

Closed by  David Runge (dvzrv)
Thursday, 23 April 2020, 18:07 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with apparmor 2.13.4-3
Comment by loqs (loqs) - Wednesday, 11 March 2020, 12:15 GMT
@vinipsmaker can you please report the issue upstream at [1] systemd 245 added a new feature [2].

[1] https://gitlab.com/apparmor/apparmor/-/issues
[2] https://github.com/systemd/systemd/blob/v245/NEWS#L27
Comment by Vinícius dos Santos Oliveira (vinipsmaker) - Wednesday, 11 March 2020, 14:07 GMT
Done: https://gitlab.com/apparmor/apparmor/-/issues/82

Thanks.
Comment by David Runge (dvzrv) - Tuesday, 31 March 2020, 10:05 GMT
I've tried adding the patch, but it breaks tests: https://gitlab.com/apparmor/apparmor/-/issues/88

Loading...