[Bug 1869629] Re: please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns

Launchpad Bug Tracker 1869629 at bugs.launchpad.net
Sat Apr 4 02:53:07 UTC 2020 

This bug was fixed in the package apparmor - 2.13.3-7ubuntu3

---------------
apparmor (2.13.3-7ubuntu3) focal; urgency=medium

  * Add upstream-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch
    (LP: #1869629)

 -- John Johansen <john.johansen at canonical.com>  Wed, 01 Apr 2020
01:05:30 -0700

** Changed in: apparmor (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1869629

Title:
  please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns

Status in snapd:
  Triaged
Status in apparmor package in Ubuntu:
  Fix Released
Status in chrony package in Ubuntu:
  Invalid

Bug description:
  In focal users of mdns get denials in apparmor confined applications.
  An exampel can be found in the original bug below.

  It seems it is a common pattern, see
  https://github.com/lathiat/nss-mdns#etcmdnsallow

  Therefore I'm asking to add
     /etc/mdns.allow r,
  to the file
     /etc/apparmor.d/abstractions/mdns"
  by default.

  --- original bug ---

  Many repetitions of

  audit: type=1400 audit(1585517168.705:63): apparmor="DENIED"
  operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow"
  pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r"
  fsuid=123 ouid=0

  in log.  I use libnss-mdns for .local name resolution, so
  /etc/nsswitch.conf contains

  hosts:          files mdns [NOTFOUND=return] myhostname dns

  and /etc/mnds.allow contains the domains to resolve with mDNS (in may
  case, "local." and "local"; see /usr/share/doc/libnss-
  mdns/README.html.)

  Presumably cronyd calls a gethostbyX() somewhere, thus eventually
  trickling down through the name service switch and opening
  /etc/mdns.allow, which the AppArmor profile in the chrony package does
  not allow.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: chrony 3.5-6ubuntu1
  ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
  Uname: Linux 5.4.0-18-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu21
  Architecture: amd64
  Date: Sun Mar 29 15:02:39 2020
  InstallationDate: Installed on 2020-03-26 (3 days ago)
  InstallationMedia: Xubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200326)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: chrony
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1869629/+subscriptions

More information about the Ubuntu-sponsors mailing list