apparmor-profile-everything icon indicating copy to clipboard operation
apparmor-profile-everything copied to clipboard

Published 20 hours ago verified publisher icon Kicksecure

Reboot failure on Debian 10 due to systemd confinement

Open flawedworld opened this issue 4 years ago • 3 comments

When applying the package from the Whonix repo onto a fresh installation of Debian 10 (on both an AWS EC2 and a local VMWare Workstation VM) I lose the ability to reboot.

I originally found this when using the 5.10 kernel from buster-backports and I tested also on the stock 4.19 kernel and it is reproducible there also.

If I issue the reboot command the OS gets stuck on a blinking cursor and does not reboot. When setting systemd to complain using aa-complain systemd this issue goes away.

Unable to see any logging in auditd relating to this.

flawedworld avatar Mar 13 '21 22:03 flawedworld

https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/463

adrelanos avatar Mar 14 '21 13:03 adrelanos

I cannot reproduce this.

madaidan avatar Mar 17 '21 23:03 madaidan

I've just gotten these errors:

AVC apparmor="DENIED" operation="signal" profile="spice-vdagentd" comm="systemd" requested_mask="receive" denied_mask="receive" signal=term peer="init-systemd"
AVC apparmor="DENIED" operation="signal" profile="spice-vdagentd" comm="systemd" requested_mask="receive" denied_mask="receive" signal=kill peer="init-systemd"
AVC apparmor="DENIED" operation="signal" profile="spice-vdagent" comm="systemd" requested_mask="receive" denied_mask="receive" signal=term peer="init-systemd"
AVC apparmor="DENIED" operation="signal" profile="spice-vdagent" comm="systemd" requested_mask="receive" denied_mask="receive" signal=kill peer="init-systemd"
AVC apparmor="DENIED" operation="signal" profile="dbus-daemon" comm="systemd" requested_mask="receive" denied_mask="receive" signal=term peer="init-systemd"
AVC apparmor="DENIED" operation="signal" profile="dbus-daemon" comm="systemd" requested_mask="receive" denied_mask="receive" signal=kill peer="init-systemd"
AVC apparmor="DENIED" operation="signal" profile="/usr/sbin/haveged" comm="systemd-shutdow" requested_mask="receive" denied_mask="receive" signal=stop peer="systemd-shutdown"
AVC apparmor="DENIED" operation="signal" profile="dbus-daemon" comm="systemd-shutdow" requested_mask="receive" denied_mask="receive" signal=stop peer="systemd-shutdown"
AVC apparmor="DENIED" operation="signal" profile="spice-vdagentd" comm="systemd-shutdow" requested_mask="receive" denied_mask="receive" signal=stop peer="systemd-shutdown"
AVC apparmor="DENIED" operation="signal" profile="/usr/sbin/haveged" comm="systemd-shutdow" requested_mask="receive" denied_mask="receive" signal=term peer="systemd-shutdown"
AVC apparmor="DENIED" operation="signal" profile="dbus-daemon" comm="systemd-shutdow" requested_mask="receive" denied_mask="receive" signal=term peer="systemd-shutdown"
AVC apparmor="DENIED" operation="signal" profile="spice-vdagentd" comm="systemd-shutdow" requested_mask="receive" denied_mask="receive" signal=term peer="systemd-shutdown"

Could you try adding this to the rest of your other AppArmor profiles and see if it fixes it?

signal receive set=(kill, cont, stop, term) peer=systemd-shutdown,

Also edit /etc/apparmor.d/systemd-shutdown and change:

signal send set=(cont, stop, term),

to:

signal send set=(kill, cont, stop, term),

madaidan avatar Mar 17 '21 23:03 madaidan

https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/484

adrelanos avatar Jan 15 '24 15:01 adrelanos