Ubuntu
apparmor package

Nameservice abstraction should also include /var/run/resolvconf/resolv.conf

Bug #132468 reported by David McBride
4
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: apparmor

The Nameservice abstraction configuration file (/etc/apparmor.d/abstractions/nameservice) permits reads access to (amongst other paths) /etc/resolv.conf.

However, on systems using resolvconf, this is a symbolic link to /etc/resolvconf/run/resolv.conf -- where /etc/resolvconf/run itself is a symlink to /var/run/resolvconf.

Apparmor does not follow symlinks; as a result, apparmor'd applications which include the nameservice abstraction in their policy definition are unable to read /var/run/resolvconf/resolv.conf.

This is a bug, and (for example) breaks CUPS.

Adding /var/run/resolvconf/resolv.conf to /etc/apparmor.d/abstractions/nameservice corrects this problem. This should probably become the default.

Related branches

lp:ubuntu/karmic/apparmor
Mathias Gug (mathiaz)
Changed in apparmor:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Steve Beattie (sbeattie) wrote :

I've added /var/run/resolvconf/resolv.conf to the upstream nameservice abstraction (svn rev 904).

Revision history for this message
Bohdan Kmit' (mit) wrote :

For bind9 proper operation with resolvconf package installed we also need to add
"/var/run/bind/named.options" to "/etc/apparmor.d/usr.sbin.named" profile.

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 132468] Re: Nameservice abstraction should also include /var/run/resolvconf/resolv.conf

Thanks for your report. I've added the file to the named profile.

Revision history for this message
Mathias Gug (mathiaz) wrote :

apparmor (2.1+961-0ubuntu1) gutsy; urgency=low

  * New upstream version.
    * Support resolvconf. Fix LP: #132468.
  * Move package maintainance to bzr:
    * Apply all patches directly into the tree with dpatch apply-all.
    * debian/patches/: remove all patches as they are applied inline now.
    * debian/control, debian/control.modules.in: remove dpatch from
      Build Depends.
    * debian/rules:
      * remove dpatch include.
      * remove patch and unpatch dependencies
  * debian/control:
    * Rename libapparmor-dev to libapparmor1-dev.
      Add Provides: and Conflict: tags.
    * Remove universe component in Section tag.
    * Remove apparmor-utils depends on bsdutils.
    * Update apparmor-modules Recommends to apparmor-modules-2.1.
  * utils/:
    * Add audit man page.
  * Fix mod_appamor library: remove rpath info.
    * debian/rules: remove rpath info.
    * debian/control: add chrpath as a build dependency.
  * Remove apparmor-modules-source package:
    * debian/conrol: remove apparmor-modules-source package.
    * debian/apparmor.postinst, debian/apparmor.preinst,
      debian/apparmor.prerm: remove error_handler function.
    * debian/rules: remove error_handler option from dh_installinit.
    * debian/apparmor-modules-_KVERS_.postinst.modules.in,
      debian/control.modules.in: remove control and postinst files.

 -- Mathias Gug <email address hidden> Tue, 11 Sep 2007 10:44:56 -0400

Changed in apparmor:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.