-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: apparmor denies /var/lib/dpkg/arch #3137
Comments
Ok, had an excellent troubleshoting session with @renanrodrigo and we found the origin of the problem. Basically, just the presence of We don't know yet the consequence of this DENIED error. It looks like it's triggered by I diffed the output of
It's the same attached or unattached. |
Further troubleshooting shows that also the apt_methods_gpgv child profile is affected in this situation:
I'll go over the profiles and make sure |
This is needed in systems that have a /var/lib/dpkg/arch file, which can be triggered by `dpkg --add-architecture i386` on amd64, for example. It's best to allow reading of all files therein. LP: #2067810 Fixes: #3137
This is needed in systems that have a /var/lib/dpkg/arch file, which can be triggered by `dpkg --add-architecture i386` on amd64, for example. It's best to allow reading of all files therein. LP: #2067810 Fixes: #3137
Confirm that I have this problem on 2 machines running bionic which have empty /var/lib/dpkg/arch |
@dominicraf ok that is interesting |
That statement is a bit ambiguous. Do you have a |
Aah yes good catch - the presence of the file itself is enough, content won't matter |
Sorry, correction, and apologies for any confusion, my comment was rather careless. I am running jammy (22.04), not bionic, and the file
The following returns nothing (so it seems I actually have no i386 packages): And in answer to the q above:
|
Until the next release, the fix is offered at https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067810 Just install ubuntu-pro-client (32.3.1~24.04) from Proposed. |
Description of the bug
Seen in the logs from https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067728:
Unsure if that's the cause of the LP bug, though, as the ua logs also show errors contacting the contract server (timeouts).
The journal logs at those times are fine:
Incidentally, looks like apport is trying to report the version of the ubuntu-advantage-tools package, but it should also check ubuntu-pro-client.
Expected behavior
No apparmor denied errors.
Current behavior
For some unknown operation, the pro client on that system is triggering dpkg apparmor denied errors. We haven't seen those in our testing.
in uaclient/system.py, we have get_dpkg_arch() which calls
dpkg --print-architecture
, and that works just fine with the current apparmor profile:And strace confirms that that command does not touch /var/lib/dpkg:
To Reproduce
Unknown at the moment.
System information:
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: