apparmor stays active even when the service is disabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
In Progress
|
Medium
|
Unassigned |
Bug Description
Trying to access a fresh install of MySQL, what a complete pain that is!! I installed mysql-workbench
Running aa-status I could see the app in the enforce category, so I made many attempts to move it to complain, but this failed and I'll file a bug report about that as well.
I decided to disable both the apparmor and ufw service.
However, the AppArmor permissions error dialog continue to appear and it's not possible to access the database.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: apparmor 2.13.3-7ubuntu5
ProcVersionSign
Uname: Linux 5.4.0-29-generic x86_64
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Fri May 15 09:40:01 2020
InstallationDate: Installed on 2020-03-10 (65 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200306)
ProcKernelCmdline: BOOT_IMAGE=
SourcePackage: apparmor
Syslog:
May 15 09:38:16 owen-AOD255 dbus-daemon[1118]: [session uid=125 pid=1118] AppArmor D-Bus mediation is enabled
May 15 09:39:00 owen-AOD255 dbus-daemon[1762]: [session uid=1000 pid=1762] AppArmor D-Bus mediation is enabled
May 15 09:39:04 owen-AOD255 dbus-daemon[2353]: [session uid=125 pid=2353] AppArmor D-Bus mediation is enabled
UpgradeStatus: No upgrade log present (probably fresh install)
I'm not familiar with mysql-workbench -community, but looking at the logs I see:
May 14 17:44:33 owen-AOD255 kernel: [ 181.312508] audit: type=1400 audit(158947467 3.710:1024) : apparmor="DENIED" operation="connect" profile= "snap.mysql- workbench- community. mysql-workbench -community" name="/ run/uuidd/ request" pid=3579 comm="mysql- workbench" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
This issue was fixed in a recent commit to snapd, but it hasn't reached the stable channel yet (it should be in snapd 2.45). You can either:
* 'sudo snap install --devmode mysql-workbench -community' to work around the issue and put apparmor into complain mode
* 'sudo snap refresh snapd --edge' to pull in the edge build of snapd which has the fix
If choosing the former, when 'snap version' reports 2.45, you can install the snap in strict mode (omit --devmode). If the latter, when 'snap info snapd' reports that 2.45 is in the stable channel, run 'sudo snap refresh snapd --stable' to start tracking stable again.
This is not a bug in apparmor, but instead snapd. Triaging the bug as such.