Full System AppArmor Policy - Testers Wanted!

News
10

That helps a lot.

Extracted from the last log.

Nov 14 16:24:58 host audit[14305]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name=“/sys/block/” pid=14305 comm=“lsblk” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Nov 14 16:25:09 host audit[1]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name=“/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0C0A:00/power_supply/BAT0/” pid=1 comm=“systemd” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Nov 14 16:25:09 host audit[14337]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name=“/var/lib/apt/daily_lock” pid=14337 comm=“apt.systemd.dai” requested_mask=“wc” denied_mask=“wc” fsuid=0 ouid=0

Nov 14 16:25:21 host audit[1]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name=“/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0C0A:00/power_supply/BAT0/” pid=1 comm=“systemd” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Nov 14 16:25:21 host audit[14347]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name=“/var/lib/apt/daily_lock” pid=14347 comm=“apt.systemd.dai” requested_mask=“wc” denied_mask=“wc” fsuid=0 ouid=0

Nov 14 16:25:32 host audit[14353]: AVC apparmor=“DENIED” operation=“exec” info=“no new privs” error=-1 profile=“init-systemd” name=“/usr/sbin/kloak” pid=14353 comm=“(kloak)” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 target=“/usr/sbin/kloak”

Nov 14 16:25:46 host audit[14482]: AVC apparmor=“DENIED” operation=“open” profile=“init-systemd” name=“/proc/modules” pid=14482 comm=“lsmod” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Let’s wait for @madaidan to fix these.

1 Like
11

No, this requires read access to the hard drive which is explicitly denied: apparmor-profile-everything/etc/apparmor.d/abstractions/dangerous-files at master · Kicksecure/apparmor-profile-everything · GitHub

We could slightly relax the restrictions to allow reading /sys/devices/pci**/block/{s,v}da/dev however, this could potentially allow an attacker to bypass some restrictions and read sensitive files e.g. System.map which can aid further exploitation. Is there another way to implement this check?

Seems to be the same issue as we had with sdwdate, haveged and onion-grater. Might need to subtract some systemd hardening.

This is only allowed in aadebug mode: apparmor-profile-everything/etc/apparmor.d/abstractions/aadebug at master · Kicksecure/apparmor-profile-everything · GitHub

1 Like
12

Not that I know. The live mode check needs some way to know if the kernel thinks there are any devices mounted as read-write.

(It only detects live mode if all devices are mounted read-only.)

Happy for suggestions for alternatives.

Currently using this:

sudo --non-interactive /bin/lsblk --noheadings --all --raw --output RO

Would it help if instead that was /path/to/some/wrapper and sudo --non-interactive /path/to/some/wrapper? Happy to implement that too. Even such a wrapper being allowed to run wouldn’t be good enough?

(That wrapper would then run /bin/lsblk --noheadings --all --raw --output RO.)

1 Like
13

We could just create a profile directly for /bin/lsblk since it doesn’t appear to include any functionality that is especially dangerous (if it does, we can create a rapt-like wrapper). This would also allow using lsblk for other purposes.

1 Like
14

Should be fixed with this

1 Like
15

This is conflicting with apparmor-profile-everything/etc/apparmor.d/abstractions/dangerous-files at master · Kicksecure/apparmor-profile-everything · GitHub

Will need to also create a profile for /usr/lib/apt/apt.systemd.daily.

1 Like
16

Should now be fixed by

1 Like
17

Sounds great!
I doubt lsblk has dangerous functionality. Since its name beings with ls it’s only an informational tool. Not a manipulation tool.

1 Like
18

All merged and now available in testers repository.

2 Likes
19

I attempted to run this policy in Kicksecure and once I start lightdm to login to Kicksecure, I display a black screen. I can go into a virtual console with CTRL+ALT+F1 and I attempted to uninstall
apparmor-profile-everything and reboot, another black screen.

I then uinstalled apparmor and I’m able to login to lightDM then XFCE no problem.

What log should I look for that is hindering me from successfully running apparmor-profile-everything?

Thanks,
sudobash

20

Post the full journalctl output whilst apparmor-profile-everything is active to a pastebin so I can analyze what’s wrong.

2 Likes
21

Yes madiadan, here is the log for journalctl with apparmor-profile-everything enabled and grub settings apparmor set to 1. Using your custom kernel with kprobes enabled for LKRG.

https://pastebin.com/DCjSXDCp

There is another issue prior to booting in which async io failed to start, used sync io instead. This is when I enter my passphrase for the encrypted LUKS.

I appreciate all your support!
sudobash

2 Likes
22

Extracted errors:

audit[1164]: AVC apparmor="DENIED" operation="exec" profile="networking-aae" name="/etc/wpa_supplicant/ifupdown.sh" pid=1164 comm="run-parts" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
audit[1165]: AVC apparmor="DENIED" operation="open" profile="rsyslogd" name="/etc/resolv.conf" pid=1165 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1165]: AVC apparmor="DENIED" operation="open" profile="rsyslogd" name="/etc/hosts" pid=1165 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1258]: AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/devices/virtual/dmi/id/product_uuid" pid=1258 comm="systemd-hostnam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1258]: AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/devices/virtual/dmi/id/chassis_type" pid=1258 comm="systemd-hostnam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1258]: AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/sys/firmware/acpi/pm_profile" pid=1258 comm="systemd-hostnam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:02.0/0000:03:00.0/drm/" pid=1279 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:02.0/0000:03:00.0/" pid=1279 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="capable" profile="Xorg" pid=1279 comm="Xorg" capability=23  capname="sys_nice"
audit[1279]: AVC apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:02.0/0000:03:00.1/sound/card1/id" pid=1279 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="open" profile="Xorg" name="/sys/devices/pci0000:00/0000:00:1b.0/sound/card0/id" pid=1279 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[1178]: AVC apparmor="DENIED" operation="file_receive" profile="dbus-daemon" name="/run/systemd/inhibit/2.ref" pid=1178 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=104 ouid=0
audit[1279]: AVC apparmor="DENIED" operation="signal" profile="Xorg" pid=1279 comm="Xorg" requested_mask="send" denied_mask="send" signal=usr1 peer="unconfined"
audit[1475]: AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/dev/tty1" pid=1475 comm="systemd-logind" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=1000

Please edit the specified files in /etc/apparmor.d/ and enter the required rules as follows. Make sure to enter the rules within the profile section, below the line “{” but above the “}”.

sbin.networking-aae:

/etc/wpa_supplicant/ifupdown.sh mrix,

usr.sbin.rsyslogd:

/etc/resolv.conf r,
/etc/hosts r,

abstractions/init-systemd:

/sys/devices/virtual/dmi/id/{product_uuid,chassis_type} r,
/sys/firmware/acpi/pm_profile r,
/dev/tty[0-9]* rw,

usr.lib.xorg.Xorg:

/sys/devices/pci[0-9]**/{,drm/} r,
/sys/devices/pci[0-9]**/sound/card[0-9]*/id r,
capability sys_nice,
signal send set=usr1 peer=unconfined,

Report back if this fixes anything. If not, send the logs in again.

@Patrick:

We need a good way of formatting the logs so it’s easier for us to parse. I’ve been experimenting with:

journalctl | grep "DENIED" | awk '{sub(/([^ ]+ +){4}/,"")}1' | grep -v "kernel: audit: type=" | sed -e 's/audit\[.*\]: //g' | sed -e 's/pid=.* comm/comm/g' | awk '!x[$0]++'

It seems to work well.

  • Removes the date and time.
  • Excludes the kernel: lines which are just duplicates of audit’s.
  • Removes the audit: and pid= parts since they are never really needed.
  • Removes duplicates.

We should also implement abstractions for certain weird files. E.g. /dev/tty* and those pci directories in /sys:

@{sysfs_pci}=/sys/devices/pci[0-9][0-9][0-9][0-9]:[0-9][0-9]/[0-9][0-9][0-9][0-9]:[0-9][0-9]:*.*/{,[0-9][0-9][0-9][0-9]:[0-9][0-9]:*.*/}
@{dev_tty}=/dev/tty[0-9]{,[0-9])
2 Likes
23

Would be good addition for package helper-scripts. Much better to tell users to run that command than logs with tons of duplicates. /usr/sbin/apparmor-info? Tool could later add further output. Anything needed for analysis.

Perhaps even an /etc/sudoers.d exception so users could run this from user user to ease gathering logs? That is, if this is safe. Maybe not? Could an application exfiltrate information using this? Inter process communication of confined compromised applications?

Maybe this helps with wrapper development. Systemd journal, since current boot only (better drop -b and eat duplicates later?), kernel messages only, output format without timestamps.

sudo journalctl -b -k --output cat | grep DENIED

or

sudo dmesg | grep DENIED

I guess journalctl output is an easier to parse starting point.

EDIT

Even better:

sudo journalctl _TRANSPORT=audit --output cat

Wrapper could be

sudo journalctl _TRANSPORT=audit --output cat "$@" | grep DENIED [...]

The "$@" to allow adding extra journalctl parameters such as -b.

2 Likes
26

Thank you for the support! I was able to boot into XFCE via LightDM no problem. However, sdwdate/gui is broken. The notification icon keeps looping and when trying to access the terminal log, it’s blank. sdwdate being broken disables Tor Browser due to time not syncing.

System Monitor upon opening the app Resources works fine, however, Processes and File Systems tab are disabled. Perhaps due to hardened kernel as well as AppArmor?

Here are the current denieds in AppArmor:

sudo journalctl | grep “DENIED” | awk ‘{sub(/([^ ]+ +){4}/,"")}1’ | grep -v “kernel: audit: type=” | sed -e ‘s/audit[.]: //g’ | sed -e 's/pid=. comm/comm/g’ | awk ‘!x[$0]++’
[sudo] password for user:
Dec 18 15:15:46 os AVC apparmor=“DENIED” operation=“open” profile=“networking-aae” name="/etc/wpa_supplicant/functions.sh" comm=“wpasupplicant” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Dec 18 15:13:39 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:13:40 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=108 ouid=0
Dec 18 15:13:47 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/desktop-base/profiles/xdg-config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml" comm=“xfconfd” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:13:47 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:13:47 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/desktop-base/profiles/xdg-config/xfce4/xfconf/xfce-perchannel-xml/xfce4-desktop.xml" comm=“xfconfd” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:13:48 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:13:53 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/at-spi2-core/at-spi-bus-launcher" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=109 ouid=0
Dec 18 15:14:22 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:14:57 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:14:58 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:19:43 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/at-spi2-core/at-spi-bus-launcher" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=109 ouid=0
Dec 18 15:20:40 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/at-spi2-core/at-spi-bus-launcher" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=109 ouid=0
Dec 18 15:21:51 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:21:51 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:21:52 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:21:54 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:21:56 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:21:58 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:22:00 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:47:52 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:48:36 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:48:36 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:48:43 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/bin/gnome-keyring-daemon" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:00 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:49:21 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:49:22 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:23 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:24 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:28 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:35 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:36 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:37 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:38 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:49:42 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:52:47 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 15:52:52 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:52:53 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:52:54 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:53:03 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/dconf/dconf-service" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:54:03 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
Dec 18 15:55:36 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:55:38 os AVC apparmor=“DENIED” operation=“open” profile="/**/*-browser/Browser/firefox" name="/proc/5285/cgroup" comm=“firefox.real” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Dec 18 15:56:30 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 15:56:34 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 16:06:11 os AVC apparmor=“DENIED” operation=“open” profile=“Xorg” name="/dev/dri/renderD128" comm=“Xorg” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
Dec 18 16:07:01 os AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name="/usr/lib/at-spi2-core/at-spi-bus-launcher" comm=“dbus-daemon” requested_mask=“x” denied_mask=“x” fsuid=109 ouid=0
Dec 18 16:08:01 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Dec 18 16:08:02 os AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name="/usr/share/defaults/at-spi2/accessibility.conf" comm=“dbus-daemon” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

Should I enable all of these?

Thank you,
sudobash

2 Likes
27

I think it should be restricted to root to be safe.

Add the following rules and see if it fixes anything:

sbin.networking-aae:

/etc/wpa_supplicant/*.sh mrix,

usr.lib.xorg.Xorg:

/dev/dri/renderD[0-9]* rw,

usr.bin.dbus-daemon:

/usr/share/defaults/at-spi2/accessibility.conf r,
/usr/share/desktop-base/profiles/xdg-config/xfce4/xfconf/xfce-perchannel-xml/*.xml{,.new} r,
/usr/lib/at-spi2-core/at-spi-bus-launcher mrix,
/usr/lib/dconf/dconf-service mrix,
/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd mrix,
/usr/bin/gnome-keyring-daemon mrix,
2 Likes
28
2 Likes
29

Merged. This will be very handy. Added few minor commits on top.
Removed sudo from script. I am not sure we should have any interactive sudo uses hardcoded in any scripts. Reasons:

  • major: shouldn’t train users to enter their sudo password at random applications. Using sudo should be a conscious action.
  • medium: not introducing an unnecessary dependency. sudo is not required for users already logged in as root / using capablities. Perhaps one day we can go SUID free, which includes sudo free.
  • minor: sudo removed environment variables (for whatever use case that would be good here)
2 Likes
30

Man page.

NAME
apparmor-info - Shows AppArmor DENIED Log Messages

SYNOPSIS
apparmor-info

DESCRIPTION
Shows AppArmor DENIED log messages.

If there are no DENIED log messages, outputs nothing.

RETURN VALUES
○ 0 No DENIED messages found, OK.

○ 1 DENIED messages found.

EXAMPLE
sudo apparmor-info ; echo $?

0

No output from apparmor-info with exit code 0. Meaning, no DENIED messages found, OK.

2 Likes
31

We are getting closer to a working OS, however sdwdate is broken still on boot. The sdwdate-gui is looping. When you go to status in the gui it displays - Time fetching in progress. When you try to stop or restart sdwdate-gui, it does not work and when you open the log, a terminal shows up but is blank.

sudo apt dist-upgrade && sudo apt update && sudo apt upgrade
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Hit:1 tor+https://deb.debian.org/debian-security buster/updates InRelease
Hit:2 tor+https://deb.debian.org/debian buster-updates InRelease
Hit:3 tor+http://sgvtcaew4bxjd7ln.onion buster/updates InRelease
Hit:4 tor+http://vwakviie2ienjx6t.onion/debian buster-updates InRelease
Hit:5 tor+https://deb.debian.org/debian buster InRelease
Hit:6 tor+https://deb.Whonix.org buster InRelease
Hit:7 tor+http://vwakviie2ienjx6t.onion/debian buster InRelease
Reading package lists… Done
E: Release file for tor+https://deb.debian.org/debian/dists/buster-updates/InRelease is not valid yet (invalid for another 4h 26min 21s). Updates for this repository will not be applied.
E: Release file for tor+http://vwakviie2ienjx6t.onion/debian/dists/buster-updates/InRelease is not valid yet (invalid for another 4h 26min 20s). Updates for this repository will not be applied.

However, when I run sudo sdwdate

2020-12-20 03:38:08 - sdwdate - INFO - sdwdate started. PID: 2955
2020-12-20 03:38:08 - sdwdate - INFO - create temp_dir: /tmp/tmp.ZnnDVEdjIk
2020-12-20 03:38:08 - sdwdate - INFO - Tor socks host: 127.0.0.1 Tor socks port: 9050
2020-12-20 03:38:08 - sdwdate - INFO - Running sdwdate main loop. iteration: 1 / 10000
2020-12-20 03:38:09 - sdwdate - INFO - Prerequisite check: The clock is sane.
Within build timestamp Sat 12 Dec 2020 05:44:06 AM UTC and expiration timestamp Tue 17 May 2033 10:00:00 AM UTC.
2020-12-20 03:38:09 - sdwdate - INFO - Prerequisite check: The clock might be too slow. Clock is slower than consensus/valid-after 2020-12-20 10:00:00.

Possible causes:

  • The host clock is wrong → shut down the VM, fix the clock in the host and restart the VM.

  • The VM clock is wrong → manually fix the clock. Restart Tor if necessary. Then restart sdwdate.

  • A host clock attack succeeded.

  • A hardware issue (for example bios clock issues).

Tor fully bootstrapped.
2020-12-20 03:38:09 - sdwdate - INFO - Start fetching remote times.
2020-12-20 03:38:09 - sdwdate - INFO - Initial time fetching in progress…
2020-12-20 03:38:09 - sdwdate - INFO - Running sdwdate fetch loop. iteration: 1
2020-12-20 03:38:09 - sdwdate - INFO - Requested urls [‘mprt35sjunnxfa76.onion’, ‘o2jdk5mdsijm2b7l.onion’, ‘privacyintyqcroe.onion’]
2020-12-20 03:38:59 - sdwdate - INFO - Returned urls “[‘mprt35sjunnxfa76.onion’, ‘o2jdk5mdsijm2b7l.onion’, ‘privacyintyqcroe.onion’]”
2020-12-20 03:38:59 - sdwdate - INFO - remote 0: mprt35sjunnxfa76.onion
2020-12-20 03:38:59 - sdwdate - INFO - * comment: https://informant.taz.de https://web.archive.org/web/20170329061908/https://informant.taz.de
2020-12-20 03:38:59 - sdwdate - INFO - * remote_unixtime: 1608460283
2020-12-20 03:38:59 - sdwdate - INFO - * consensus/valid-after: 2020-12-20 10:00:00
2020-12-20 03:38:59 - sdwdate - INFO - * remote_time : 2020-12-20 10:31:23
2020-12-20 03:38:59 - sdwdate - INFO - * consensus/valid-until: 2020-12-20 13:00:00
2020-12-20 03:38:59 - sdwdate - INFO - * time_diff: 24744 second(s)
2020-12-20 03:38:59 - sdwdate - INFO - * timesanitycheck: sane
2020-12-20 03:38:59 - sdwdate - INFO - * time_consensus_sanity_check: sane
2020-12-20 03:38:59 - sdwdate - INFO - * remote_status: True
2020-12-20 03:38:59 - sdwdate - INFO - remote 1: o2jdk5mdsijm2b7l.onion
2020-12-20 03:38:59 - sdwdate - INFO - * comment: https://search.gibberfish.orghttps://gibberfish.org/community-resources/ Community Resources - Gibberfish, Inc
2020-12-20 03:38:59 - sdwdate - INFO - * status: False
2020-12-20 03:38:59 - sdwdate - INFO - * value: Timeout
2020-12-20 03:38:59 - sdwdate - INFO - remote 2: privacyintyqcroe.onion
2020-12-20 03:38:59 - sdwdate - INFO - * comment: https://www.privacyinternational.org https://twitter.com/privacyint/status/762656779272593408 https://web.archive.org/web/20170421233214/https:/twitter.com/privacyint/status/762656779272593408
2020-12-20 03:38:59 - sdwdate - INFO - * remote_unixtime: 1608460282
2020-12-20 03:38:59 - sdwdate - INFO - * consensus/valid-after: 2020-12-20 10:00:00
2020-12-20 03:38:59 - sdwdate - INFO - * remote_time : 2020-12-20 10:31:22
2020-12-20 03:38:59 - sdwdate - INFO - * consensus/valid-until: 2020-12-20 13:00:00
2020-12-20 03:38:59 - sdwdate - INFO - * time_diff: 24743 second(s)
2020-12-20 03:38:59 - sdwdate - INFO - * timesanitycheck: sane
2020-12-20 03:38:59 - sdwdate - INFO - * time_consensus_sanity_check: sane
2020-12-20 03:38:59 - sdwdate - INFO - * remote_status: True
2020-12-20 03:38:59 - sdwdate - INFO - Pool 1: mprt35sjunnxfa76.onion, web unixtime: 1608460283, web time: Sun Dec 20 10:31:23 UTC 2020, diff: 24744 seconds
2020-12-20 03:38:59 - sdwdate - INFO - Pool 3: privacyintyqcroe.onion, web unixtime: 1608460282, web time: Sun Dec 20 10:31:22 UTC 2020, diff: 24743 seconds
2020-12-20 03:38:59 - sdwdate - INFO - Running sdwdate fetch loop. iteration: 2
2020-12-20 03:38:59 - sdwdate - INFO - Requested urls [‘nxhhwbbxc4khvvlw.onion’]
2020-12-20 03:39:03 - sdwdate - INFO - Returned urls “[‘nxhhwbbxc4khvvlw.onion’]”
2020-12-20 03:39:03 - sdwdate - INFO - remote 0: nxhhwbbxc4khvvlw.onion
2020-12-20 03:39:03 - sdwdate - INFO - * comment: https://searx.gotrust.de https://web.archive.org/web/20170519171857/https://github.com/asciimoo/searx/wiki/Searx-instances
2020-12-20 03:39:03 - sdwdate - INFO - * remote_unixtime: 1608460920
2020-12-20 03:39:03 - sdwdate - INFO - * consensus/valid-after: 2020-12-20 10:00:00
2020-12-20 03:39:03 - sdwdate - INFO - * remote_time : 2020-12-20 10:42:00
2020-12-20 03:39:03 - sdwdate - INFO - * consensus/valid-until: 2020-12-20 13:00:00
2020-12-20 03:39:03 - sdwdate - INFO - * time_diff: 25377 second(s)
2020-12-20 03:39:03 - sdwdate - INFO - * timesanitycheck: sane
2020-12-20 03:39:03 - sdwdate - INFO - * time_consensus_sanity_check: sane
2020-12-20 03:39:03 - sdwdate - INFO - * remote_status: True
2020-12-20 03:39:03 - sdwdate - INFO - Pool 2: nxhhwbbxc4khvvlw.onion, web unixtime: 1608460920, web time: Sun Dec 20 10:42:00 UTC 2020, diff: 25377 seconds
2020-12-20 03:39:03 - sdwdate - INFO - End fetching remote times.
2020-12-20 03:39:03 - sdwdate - INFO - Pool differences, sorted: [24743, 24744, 25377]
2020-12-20 03:39:03 - sdwdate - INFO - Median time difference: +24744.000000000
2020-12-20 03:39:03 - sdwdate - INFO - randomize : +0.052989251
2020-12-20 03:39:03 - sdwdate - INFO - New time difference : +24744.052989251
2020-12-20 03:39:03 - sdwdate - INFO - Old unixttime: 1608435543.369919062
2020-12-20 03:39:03 - sdwdate - INFO - New unixtime : 1608460287.422908306
2020-12-20 03:39:03 - sdwdate - INFO - Instantly setting the time by using command: /bin/date --set “@1608460287.422908306
2020-12-20 10:31:27 - sdwdate - INFO - /bin/date output: Sun 20 Dec 2020 10:31:27 AM UTC

2020-12-20 10:31:27 - sdwdate - INFO - Success. Sleeping for 66.08333333333333 minutes.
2020-12-20 10:31:27 - sdwdate - INFO - Running command: sleep 3965.178781784
^Z
[1]+ Stopped sudo sdwdate

The icon for the sdwdate-gui does display the working icon but then loops between the X and inactive icon and keeps looping.

TOR Browser works and I’m able to update:

sudo apt dist-upgrade && sudo apt update && sudo apt upgrade
[sudo] password for user:
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Hit:1 tor+https://deb.debian.org/debian-security buster/updates InRelease
Hit:2 tor+https://deb.debian.org/debian buster-updates InRelease
Hit:3 tor+http://vwakviie2ienjx6t.onion/debian buster-updates InRelease
Hit:4 tor+https://deb.debian.org/debian buster InRelease
Hit:5 tor+https://deb.Whonix.org buster InRelease
Hit:6 tor+http://sgvtcaew4bxjd7ln.onion buster/updates InRelease
Hit:7 tor+http://vwakviie2ienjx6t.onion/debian buster InRelease
Reading package lists… Done
Building dependency tree
Reading state information… Done
All packages are up to date.
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

But for some reason, I cannot acquire the merged packages such as apparmor-info and hardened-kernel.

I run sudo apt reinstall helper-scripts and sudo apparmor-info
sudo: apparmor-info: command not found

I switched to the older kernel for these test - uname -r
4.19.0-13-amd64 so that it wouldn’t be a hardened kernel issue

I also tested sudo sdwdate-gui
[sudo] password for user:
access control disabled, clients can connect from any host
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to ‘/tmp/runtime-sdwdate-gui’
tor_status_changed unexpected error: <class ‘NameError’>
^Z
[2]+ Stopped sudo sdwdate-gui

And lastly, I ran this just now:

sudo journalctl _TRANSPORT=audit --output cat “${@}” | grep “DENIED” | sed -e ‘s/pid=.* comm/comm/g’ | sed -e 's/ fsuid.//g’ | awk ‘!x[$0]++’
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name=“/usr/lib/at-spi2-core/at-spi2-registryd” comm=“dbus-daemon” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/dirname” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/rm” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/mv” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/gzip” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/apt-get” comm=“apt.systemd.dai” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile="/**/-browser/Browser/firefox" name=“/proc/5064/cgroup” comm=“firefox.real” requested_mask=“r” denied_mask=“r”

System Monitor does briefly show the 2 tabs that were not showing up but then disables access to it. I ran it just now and did another journalctl:

sudo journalctl _TRANSPORT=audit --output cat “${@}” | grep “DENIED” | sed -e ‘s/pid=.* comm/comm/g’ | sed -e 's/ fsuid.//g’ | awk ‘!x[$0]++’
AVC apparmor=“DENIED” operation=“exec” profile=“dbus-daemon” name=“/usr/lib/at-spi2-core/at-spi2-registryd” comm=“dbus-daemon” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/dirname” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/rm” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/mv” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/gzip” comm=“savelog” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“exec” profile=“apt.systemd.daily” name=“/usr/bin/apt-get” comm=“apt.systemd.dai” requested_mask=“x” denied_mask=“x”
AVC apparmor=“DENIED” operation=“open” profile="/**/-browser/Browser/firefox" name=“/proc/5064/cgroup” comm=“firefox.real” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“open” profile=“dbus-daemon” name=“/proc/cmdline” comm=“dconf-service” requested_mask=“r” denied_mask=“r”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.N4ZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.VVZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.77ZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.U9ZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.R9XIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.7LYIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.U2YIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.MJZIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.JBEDV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.WVEDV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.S7SHV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.SPTHV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.BDNFV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.0OKFV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.HIOOV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.G0OOV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.I14EV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.6T4EV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.G1PPV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.NCQPV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.GT5GV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.7A6GV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.B5KXV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.QUKXV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.090UV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.TR1UV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.S7JQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.UOKQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.1ADKV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.0RDKV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.5UIIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.1CJIV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.6EVDV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.3WVDV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.VAEWV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.FXEWV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.DKQRV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.S9PRV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.BUPPV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.5BQPV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.FF8JV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.Z47JV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.84OEV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.YMPEV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.HLCYV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.1Y9XV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.7ETSV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.5QQSV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.9DWQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.0VWQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.H8VLV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.UQWLV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.W4VJV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.7TVJV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.S1VEV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.ZQVEV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.OH4WV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.KA4WV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.AA1MV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.KT1MV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.UF2QV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.VSZQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.R1ZQV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”
AVC apparmor=“DENIED” operation=“mknod” profile=“dbus-daemon” name=“/home/user/.config/dconf/user.OI0QV0” comm=“dconf-service” requested_mask=“c” denied_mask=“c”

I also noticed this in boot log:

Warning from stdin (line 1): config file ‘/etc/apparmor/parser.conf’ not found
Warning from stdin (line 1): config file ‘/etc/apparmor/parser.conf’ not found
Warning from stdin (line 1): config file ‘/etc/apparmor/parser.conf’ not found
Warning from stdin (line 1): config file ‘/etc/apparmor/parser.conf’ not found

Failed to start Load AppArmor profiles.
See ‘systemctl status apparmor.service’ for details.

When checking out systemctl status apparmor.service within the OS, the result is:

● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/apparmor.service.d
└─30_live_mode.conf
Active: failed (Result: exit-code) since Sun 2020-12-20 05:57:21 UTC; 7h ago
Docs: man:apparmor(7)
Home · Wiki · AppArmor / apparmor · GitLab
Process: 783 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 783 (code=exited, status=1/FAILURE)

Dec 20 05:57:20 os systemd[1]: Starting Load AppArmor profiles…
Dec 20 05:57:20 os apparmor.systemd[783]: Restarting AppArmor
Dec 20 05:57:20 os apparmor.systemd[783]: Reloading AppArmor profiles
Dec 20 05:57:20 os apparmor.systemd[783]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/abstractions/init-systemd at line 252: Found unexpected character: ‘2’
Dec 20 05:57:20 os apparmor.systemd[783]: AppArmor parser error for /etc/apparmor.d/init-systemd in /etc/apparmor.d/abstractions/init-systemd at line 252: Found unexpected character: ‘2’
Dec 20 05:57:21 os apparmor.systemd[783]: Error: At least one profile failed to load
Dec 20 05:57:21 os systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Dec 20 05:57:21 os systemd[1]: apparmor.service: Failed with result ‘exit-code’.
Dec 20 05:57:21 os systemd[1]: Failed to start Load AppArmor profiles.
~

Thanks,
sudobash

1 Like