Systemd-resolved apparmor profile problem

Support and Help
1

I have this appamor profile for systemd-resolved →

profile /usr/lib/systemd/systemd-resolved {

Include common abstractions

include <abstractions/base>
include <abstractions/dbus>
include <abstractions/nameservice>

DBUS things: Allow essential D-Bus communication for the manager interface

dbus (send) interface=org.freedesktop.resolve1.Manager,
dbus (receive) interface=org.freedesktop.resolve1.Manager,
dbus (send) interface=org.freedesktop.DBus, # New line
dbus (receive) interface=org.freedesktop.DBus, # New 3

Allow reading essential configuration files

/etc/resolv.conf r,
/etc/hosts r,
/etc/nsswitch.conf r,

Allow access to systemd communication

/run/systemd/resolve/stub-resolv.conf r,
/run/systemd/resolve/resolv.conf rw, # Added write permission

Allow necessary network capabilities

network packet,
@{PROC}/sys/net/ipv4/conf//neigh/ rw, # ARP cache

capability net_bind_service,

Allow access to DNS-related files

/etc/systemd/resolved.conf r,
/var/run/resolved/ w,
/var/lib/systemd/resolved/* rw,

Allow access to DNS cache files

/var/cache/systemd/resolved/* rw,

Added permissions for watching hostname and accessing netif directory

/proc/sys/kernel/hostname r, # New line
/run/systemd/resolve/netif/ r, # New line
/run/systemd/resolve/netif/* r, # New line

Added rule for system bus access

/var/run/dbus/system_bus_socket rw, # New line

Added permissions for reading the kernel command line

/proc/cmdline r, # New line

Added permission for dbus-daemon access

/usr/bin/dbus-daemon r, # New line

Added permission for systemd access

/lib/systemd/systemd r, # New line
/lib/systemd/systemd-resolved r, # New line

Added permission for the /run/systemd/netif directory

/run/systemd/netif/ r, # New line
/run/systemd/netif/* r, # New line

NEW

/var/run/dbus/ r, # New line
/var/run/dbus/* rw, # New line

NEW2

Added permissions for sending and receiving signals on D-Bus

capability ipc_lock, # New line
capability ipc_owner, # New line

NEW4

capability dac_override, # New line
capability dac_read_search, # New

NEW5

New lines to add

capability chown, # New line
capability fowner, # New line
capability setuid, # New line
capability setgid, # New line
capability ,

NEW6

/var/run/dbus/system_bus_socket mrw, # New line to explicitly allow access

Allow control over systemd processes

/run/systemd/inhibit/ rw, # New line to allow access to systemd inhibit directory
/run/systemd/system/ rw, # New line to allow access to systemd system directory
/run/systemd/system/* rw, # New line to allow access to systemd system files

NEW7

/run/user/1000/bus rw, # New line
/run/user/1000/dbus-1/ rw, # New line

NEW8

/proc/sys/kernel/osrelease r,

Logging

audit deny /var/log/systemd-resolved.log rw,

}

And I am getting this error that I just can’t get rid of.->

2025-01-25T23:09:49.590497-05:00 Latitude-3540 systemd-resolved[4447]: Failed to connect to system bus: Permission denied

Can anybody help ??

Thanks in advance.

2

If that error is caused by your AppArmor profile denying something, you should see log messages about it in journalctl -b output (or auditd logs if you’re using auditd). These messages usually start with

audit[####]: AVC apparmor="DENIED"

If you see such log messages, could you please post them here?

3

No, there are no DENIED in syslog.

4

FYI, it really helps us if you put three backticks ``` above and below pasted code blocks (pretty much like <code>...</code> is used on other forum software) so the syntax and indentation stays intact, that makes pastes a lot more readable for supporters …

1 Like