Ubuntu
apparmor package

libnss-systemd was denied talking to pid1

Bug #1796911 reported by Andreas Hasenack
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

cosmic
apparmor 2.12-4ubuntu8
kernel 4.18.0-8-generic #9-Ubuntu

I'm getting these audit messages in dmesg showing apparmor denied errors:
[ 68.649187] audit: type=1107 audit(1539094926.655:32): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1091 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
[ 161.059989] audit: type=1107 audit(1539095018.957:33): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1191 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
[ 437.582034] audit: type=1107 audit(1539095295.553:34): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1534 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
[ 468.184231] audit: type=1107 audit(1539095326.159:35): pid=605 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1577 label="/usr/sbin/named" peer_pid=1 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'

I pinged #ubuntu-hardened, and xnox had these comments:
<xnox> ha
<xnox> ahasenack, libnss-systemd was denied talking to pid1
<xnox> to query dynamicusers i think
<xnox> so i think something somehwere need adjustemnt to allow libnss-systemd to talk to pid1 and call GetDynamicUsers
<xnox> LookupDynamicUserByName LookupDynamicUserByUID GetDynamicUsers
<xnox> as well

Revision history for this message
David Myers (demyers) wrote :

I see very similar errors with strongSwan when the daemon charon is run as non-root:

[119648.278942] audit: type=1107 audit(1540071113.311:674): pid=806 uid=105 auid=4294967295 ses=4294967295 subj==unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=26066 label="/usr/lib/ipsec/charon" peer_pid=1 peer_label="unconfined"

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.13.3-7ubuntu4

---------------
apparmor (2.13.3-7ubuntu4) focal; urgency=medium

  * debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to
    RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it
    (LP: #1871148)
  * libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets
    and DBus APIs. Patch partially based on work by Simon Deziel.
    (LP: #1796911, LP: #1869024)
  * upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient:
    allow reading /etc/krb5.conf.d/
  * upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading
    per-user themes from $XDG_DATA_HOME (Closes: #930031)
  * upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access
    to top-level ecryptfs directories (LP: #1848919)
  * upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access
    to /run/uuidd/request
  * upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the
    kernel supports the i915 perf interface. Patch from Debian

 -- Jamie Strandboge <email address hidden> Mon, 06 Apr 2020 17:47:20 +0000

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.