Closed Jeroen0494 closed 10 months ago
Most of you issue should be fixed now.
Also, since the switch to a custom generated libexec solution, a lot more programs have started misbehaving on my system. I think there are some missing paths. Is there a way to easily check which ones have been generated?
Can you tell me if you got some output when running: aa-log | grep error
. Also, do you have some profiles that used to be confined and that are not confined anymore?
Ubuntu has some libexec path's under multiarch:
jeroen@jeroen-XPS-13-9370:~$ aa-log -f /var/log/audit/audit.log.3 | grep libexec
ALLOWED kglobalaccel5//null-@{bin}/kstart getattr @{lib}/@{multiarch}/libexec/drkonqi-coredump-processor comm=kstart5 requested_mask=r denied_mask=r
ALLOWED kglobalaccel5//null-@{bin}/kstart//null-@{bin}/konsole getattr @{lib}/@{multiarch}/libexec/drkonqi-coredump-processor comm=konsole requested_mask=r denied_mask=r
jeroen@jeroen-XPS-13-9370:~$ aa-log -f /var/log/audit/audit.log.4 | grep libexec
ALLOWED ksmserver//null-@{lib}/@{multiarch}/libexec/kscreenlocker_greet open /var/cache/fontconfig/96ec562c-c213-4d76-a43e-33a27231e19b-le64.cache-7 comm=kscreenlocker_g requested_mask=r denied_mask=r
ALLOWED ksmserver//null-@{lib}/@{multiarch}/libexec/kscreenlocker_greet getattr /var/cache/fontconfig/96ec562c-c213-4d76-a43e-33a27231e19b-le64.cache-7 comm=kscreenlocker_g requested_mask=r denied_mask=r
[...]
I don't have many other examples right now, because all of the KDE errors are spamming my audit logs.
jeroen@jeroen-XPS-13-9370:~$ aa-log -f /var/log/audit/audit.log.3 | grep error
ALLOWED bluetoothd sendmsg owner run/systemd/notify info="Failed name lookup - disconnected path" comm=bluetoothd requested_mask=w denied_mask=w error=-13
ALLOWED bluetoothd sendmsg owner run/systemd/journal/dev-log info="Failed name lookup - disconnected path" comm=bluetoothd requested_mask=w denied_mask=w error=-13
ALLOWED bluetoothd connect owner run/dbus/system_bus_socket info="Failed name lookup - disconnected path" comm=bluetoothd requested_mask=wr denied_mask=wr error=-13
ALLOWED usbguard-daemon sendmsg owner run/systemd/journal/dev-log info="Failed name lookup - disconnected path" comm=usbguard-daemon requested_mask=w denied_mask=w error=-13
One example of a profile that stopped working is bluetoothd:
jeroen@jeroen-XPS-13-9370:~$ sudo journalctl -ru bluetoothd
-- No entries --
jeroen@jeroen-XPS-13-9370:~$ sudo systemctl status -l bluetoothd
Unit bluetoothd.service could not be found.
jeroen@jeroen-XPS-13-9370:~$ sudo systemctl status -l bluetooth
× bluetooth.service - Bluetooth service
Loaded: loaded (/lib/systemd/system/bluetooth.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2023-09-05 15:39:04 CEST; 39min ago
Docs: man:bluetoothd(8)
Process: 6079 ExecStart=/usr/lib/bluetooth/bluetoothd (code=exited, status=1/FAILURE)
Main PID: 6079 (code=exited, status=1/FAILURE)
CPU: 120ms
sep 05 15:39:03 jeroen-XPS-13-9370 bluetoothd[6079]: D-Bus setup failed: Failed to connect to socket /run/dbus/system_bus_socket: Permission denied
sep 05 15:39:03 jeroen-XPS-13-9370 systemd[1]: bluetooth.service: Main process exited, code=exited, status=1/FAILURE
sep 05 15:39:03 jeroen-XPS-13-9370 systemd[1]: bluetooth.service: Failed with result 'exit-code'.
sep 05 15:39:03 jeroen-XPS-13-9370 systemd[1]: Failed to start Bluetooth service.
sep 05 15:39:04 jeroen-XPS-13-9370 systemd[1]: bluetooth.service: Scheduled restart job, restart counter is at 5.
sep 05 15:39:04 jeroen-XPS-13-9370 systemd[1]: Stopped Bluetooth service.
sep 05 15:39:04 jeroen-XPS-13-9370 systemd[1]: bluetooth.service: Start request repeated too quickly.
sep 05 15:39:04 jeroen-XPS-13-9370 systemd[1]: bluetooth.service: Failed with result 'exit-code'.
sep 05 15:39:04 jeroen-XPS-13-9370 systemd[1]: Failed to start Bluetooth service.
jeroen@jeroen-XPS-13-9370:~$ sudo apparmor_parser -R /etc/apparmor.d/bluetoothd
jeroen@jeroen-XPS-13-9370:~$ sudo systemctl restart bluetooth
jeroen@jeroen-XPS-13-9370:~$ sudo systemctl status -l bluetooth
● bluetooth.service - Bluetooth service
Loaded: loaded (/lib/systemd/system/bluetooth.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2023-09-05 16:18:39 CEST; 3s ago
Docs: man:bluetoothd(8)
Main PID: 11065 (bluetoothd)
Status: "Running"
Tasks: 1 (limit: 18729)
Memory: 1.2M
CPU: 69ms
CGroup: /system.slice/bluetooth.service
└─11065 /usr/lib/bluetooth/bluetoothd
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSink/aptx
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSource/aptx
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSink/sbc
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSource/sbc
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSink/sbc_xq_453
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSource/sbc_xq_453
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSink/sbc_xq_512
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSource/sbc_xq_512
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSink/sbc_xq_552
sep 05 16:18:40 jeroen-XPS-13-9370 bluetoothd[11065]: Endpoint registered: sender=:1.47 path=/MediaEndpoint/A2DPSource/sbc_xq_552
Thanks. The issue with bluetoothd and usbguard is easily solved (it used to be part of the project long time ago I think).
The other seems to be classic distribution path nightmare. Nothing strictly related with the variables change (actually, there are less issues of this kind now).
Great, thanks. I've made a crude list of libexec path's on an Ubuntu 22.04 installation, I think all are covered now except for package specific ones:
jeroen@jeroen-XPS-13-9370:~$ sudo find /usr -type d -name "*libexec*"
/usr/libexec
/usr/lib/x86_64-linux-gnu/libexec
/usr/lib/x86_64-linux-gnu/qt5/libexec
/usr/lib/ruby/gems/2.7.0/gems/bundler-2.1.2/libexec
/usr/lib/ruby/gems/3.0.0/gems/erb-2.2.0/libexec
/usr/lib/ruby/gems/3.0.0/gems/bundler-2.2.22/libexec
/usr/lib/kauth/libexec
jeroen@jeroen-XPS-13-9370:~$ ls -l /
total 424
lrwxrwxrwx 1 root root 7 nov 12 2022 bin -> usr/bin
drwx------ 5 root root 4096 sep 5 14:19 boot
drwxr-xr-x 2 root root 4096 nov 10 2018 cdrom
drwxr-xr-x 23 root root 4960 sep 5 16:17 dev
drwxr-xr-x 203 root root 12288 sep 5 14:18 etc
drwxr-xr-x 3 jeroen root 4096 jun 19 2020 home
lrwxrwxrwx 1 root root 34 sep 8 2020 initrd.img -> boot/initrd.img-4.15.0-117-generic
lrwxrwxrwx 1 root root 34 sep 8 2020 initrd.img.old -> boot/initrd.img-4.15.0-115-generic
lrwxrwxrwx 1 root root 7 nov 12 2022 lib -> usr/lib
lrwxrwxrwx 1 root root 9 nov 12 2022 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 nov 12 2022 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 nov 12 2022 libx32 -> usr/libx32
drwx------ 2 root root 16384 nov 10 2018 lost+found
drwxr-xr-x 4 root root 4096 mei 5 2019 media
drwxr-xr-x 4 root root 4096 okt 5 2020 mnt
drwxr-xr-x 8 root root 4096 mei 28 22:53 opt
dr-xr-xr-x 389 root root 0 sep 5 15:37 proc
drwx------ 18 root root 4096 sep 5 16:18 root
drwxr-xr-x 44 root root 1300 sep 5 16:17 run
lrwxrwxrwx 1 root root 8 nov 12 2022 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 nov 8 2018 srv
dr-xr-xr-x 13 root root 0 sep 5 15:37 sys
drwxrwxrwt 37 root root 20480 sep 5 21:40 tmp
drwxr-xr-x 16 root root 4096 nov 12 2022 usr
drwxr-xr-x 13 root root 4096 feb 16 2023 var
Hi,
I'm currently unable to work on AppArmor profiles myself, but I know you're always happy with some error logs so here we go. Some of these are a bit older and might already be fixed:
Also, since the switch to a custom generated libexec solution, a lot more programs have started misbehaving on my system. I think there are some missing paths. Is there a way to easily check which ones have been generated?