MAAS rack server triggers Apparmor denial for wgetrc

Bug #2017694 reported by Adam Vest
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Triaged
Medium
Unassigned

Bug Description

Hello,

I'm just opening this bug to report an Apparmor denial that a MAAS rackd server is triggering:
---
Apr 25 19:17:46 host kernel: [ 953.022732] audit: type=1400 audit(1682450266.288:71): apparmor="DENIED" operation="open" profile="snap.maas.supervisor" name="/etc/wgetrc" pid=82633 comm="wget" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 25 19:18:16 host kernel: [ 983.040451] audit: type=1400 audit(1682450296.308:72): apparmor="DENIED" operation="open" profile="snap.maas.supervisor" name="/etc/wgetrc" pid=83441 comm="wget" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 25 19:18:46 host kernel: [ 1013.023824] audit: type=1400 audit(1682450326.292:73): apparmor="DENIED" operation="open" profile="snap.maas.supervisor" name="/etc/wgetrc" pid=84330 comm="wget" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
---

As can be seen, this is being logged every 30 seconds, though I'm not sure what process specifically is triggering this. The overall function of the rack controller does not seem to be getting impeded by this denial, so it's mainly an inconvenience in clogging up the syslog (I guess aside from the inability to modify wgetrc in a way that MAAS can use).

Recommend evaluating if MAAS should have read access to that file (probably should?), and if so, correcting the Apparmor profile accordingly, or if not, adjusting MAAS to stop trying to access it?

Thank you for your time!

Running:
root # snap list maas
Name Version Rev Tracking Publisher Notes
maas 3.3.2-13177-g.a73a6e2bd 27109 3.3/stable canonical✓ -

Revision history for this message
Alberto Donato (ack) wrote :

The snap doesn't have an /etc/wgetrc file, we should be able to silence that message by adding --no-config to the wget command line where it's used in MAAS.

Note that the message is not really causing issues, since wget will just fail to read the file and ignore it.

Changed in maas:
status: New → Triaged
importance: Undecided → Medium
milestone: none → 3.5.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.