[apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

Ian apparmor at zestysoft.com
Fri May 31 21:59:43 UTC 2019 

On Fri, 31 May 2019, Jamie wrote:
> On Fri, 31 May 2019, Ian wrote:
>
>>/The only thing outstanding is some trouble I run into after the initramfs />>/chroot transition but before the apparmor service starts: />>//>>/May 31 12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED" />>/operation="exec" info="profile transition not found" error=-13 />>/profile="init-sys />>/temd" name="/usr/bin/unshare" pid=5162 comm="(spawn)" />>/requested_mask="x" denied_mask="x" fsuid=0 ouid=0 />>/target="/usr/bin/unshare" />>/May 31 12:10:54 1546-w-dev audit[5004]: AVC apparmor="ALLOWED" />>/operation="exec" info="profile transition not found" error=-13 />>/profile="init-sys />>/temd" name="/usr/bin/unshare" pid=5004 comm="(spawn)" />>/requested_mask="x" denied_mask="x" fsuid=0 ouid=0 />>/target="/usr/bin/unshare" />
>Notice it is /usr/bin/unshare here, but you mention below that
>'/usr/sbin/unshare' exists, but what you pasted looks correct. Is this a typo
>in the email or somewhere else?
>
>>/The /usr/sbin/unshare profile exists: />>//>>/root at 1546-w-dev 
<https://lists.ubuntu.com/mailman/listinfo/apparmor>:/etc/apparmor.d# 
cat usr.bin.unshare />>/profile usr.bin.unshare /usr/bin/unshare />>/flags=(complain,attach_disconnected) { />>/    #include <local/whitelist> />>/} /

Jamie,

That was a typo in the email. There is no /usr/sbin/unshare executable 
or profile.

After everything loads, if I restart the "lvm2-pvscan at 8:1" service that 
I think is responsible for those errors during boot (systemctl shows it 
as failed), it all works correctly.

---


On a different topic, when I attempted to run 'apt update', this happens:

    type=AVC msg=audit(1559334318.936:8850): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11011 comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 target="usr.bin.apt_key"
    type=AVC msg=audit(1559334319.212:8851): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11013 comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 target="usr.bin.apt_key"
    type=AVC msg=audit(1559334319.228:8852): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11015 comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 target="usr.bin.apt_key"
    type=AVC msg=audit(1559334319.332:8853): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11017 comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 target="usr.bin.apt_key"


    W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://us.archive.ubuntu.com/ubuntu bionic InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_bionic_InRelease
    W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-updates_InRelease
    W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.ubuntu.com/ubuntu bionic-security InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/security.ubuntu.com_ubuntu_dists_bionic-security_InRelease
    W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-backports_InRelease


It's not clear to me why it thinks I would be requesting new privs when 
all of the profiles I've created have the exact same priv requests.  
It's also odd that apparmor is stating "ALLOWED" but then still blocking 
the execution?

Running pstree at the same time as apt shows the following order: 
systemd, sshd, sshd, sshd, bash, sudo, bash, apt, gpgv (and http, http), 
gpgv

    root at 1546-w-dev:/etc/apparmor.d# cat usr.lib.apt.methods.gpgv
    profile usr.lib.apt.methods.gpgv /usr/lib/apt/methods/gpgv
    flags=(complain) {
         #include <local/whitelist>
    }


    root at 1546-w-dev:/etc/apparmor.d# cat usr.bin.apt_key
    profile usr.bin.apt_key /usr/bin/apt-key flags=(complain) {
         #include <local/whitelist>
    }


Have I ran into this? 
https://lists.ubuntu.com/archives/apparmor/2018-November/011846.html

    root at 1546-w-dev:/etc/apparmor.d# uname -r
    4.15.0-50-generic

I see this problem with 'man' too.

I'm sooo close to getting this working...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190531/e36d9b7c/attachment-0001.html>

More information about the AppArmor mailing list