sssd startup fails when apparmor in enforcing mode
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| | AppArmor |
Undecided
|
Unassigned | |||
| sssd (Ubuntu) | Status tracked in Hirsute | |||||
| | Focal |
Undecided
|
Sergio Durigan Junior | |||
| | Groovy |
Undecided
|
Sergio Durigan Junior | |||
| | Hirsute |
Undecided
|
Sergio Durigan Junior | |||
Bug Description
[ Impact ]
sssd users on Focal, Groovy and Hirsute can experience problems when setting sssd's apparmor profile to "Enforce" mode. In this scenario, apparmor will prevent sssd from being able to execute programs under the /usr/libexec/sssd/* path, which will cause the sssd service to fail to start.
Aside from the deny mentioned above, the sssd apparmor profile also needs to be updated to reflect the fact that sssd will also need to have read access to files under the /etc/sssd/conf.d/* and /etc/gss/mech.d/* directories.
[ Test Case ]
Using an LXD VM, one can:
$ lxc launch image:ubuntu/focal sssd-bug1910611-focal --vm
$ lxc shell sssd-bug1910611-focal
# apt update && apt install apparmor-utils sssd -y
...
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
config_file_version = 2
domains = example.com
[domain/
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://
cache_credentials = True
ldap_search_base = dc=example,dc=com
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# aa-enforce sssd
Setting /usr/sbin/sssd to enforce mode.
# systemctl restart sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
# dmesg | grep DENIED
...
[ 2011.510479] audit: type=1400 audit(161100789
[ 2011.511822] audit: type=1400 audit(161100789
The instructions above can be replicated to test things on Groovy and Hirsute.
[ Regression Potential ]
Very little regression potential, since we are expanding the apparmor permissions of sssd, and not reducing them.
* If the user already has apparmor enabled for sssd, she will most likely have addressed these issues by herself, which means that this change will just be a duplicate of what is already on the system.
* If the user does not have apparmor enabled, then nothing will change.
[ Original Description ]
sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04.
apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance.
The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)?
Sample apparmor-notif output here:
Profile: /usr/sbin/
Operation: open
Name: /proc/33363/cmdline
Denied: r
Logfile: /var/log/
(1498 found, most recent from 'Wed Dec 30 20:35:19 2020')
Profile: /usr/sbin/
Operation: open
Name: /etc/hosts
Denied: r
Logfile: /var/log/
(294 found, most recent from 'Thu Dec 31 02:55:41 2020')
Profile: /usr/sbin/
Operation: mknod
Name: /var/lib/
Denied: c
Logfile: /var/log/
Profile: /usr/sbin/
Operation: open
Name: /var/lib/
Denied: wrc
Logfile: /var/log/
Profile: /usr/sbin/
Operation: chmod
Name: /var/lib/
Denied: w
Logfile: /var/log/
Related branches
- Christian Ehrhardt : Approve on 2021-01-20
- Canonical Server Core Reviewers: Pending requested 2021-01-20
- Canonical Server Team: Pending requested 2021-01-20
-
Diff: 36 lines (+13/-0)2 files modifieddebian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
- Christian Ehrhardt : Approve on 2021-01-19
- Canonical Server Team: Pending requested 2021-01-18
-
Diff: 36 lines (+13/-0)2 files modifieddebian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
- Christian Ehrhardt : Needs Fixing on 2021-01-20
- Canonical Server Team: Pending requested 2021-01-18
-
Diff: 36 lines (+13/-0)2 files modifieddebian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
| richard (meusburger) wrote : | #1 |
| Seth Arnold (seth-arnold) wrote : | #2 |
Hello Richard, it looks like the profile may not have kept up with changes in the packaging.
The profile has probably been broken ever since:
sssd (2.2.0-1) unstable; urgency=medium
* New upstream release.
* control: Bump policy to 4.4.0.
* control, compat, rules: Bump debhelper to 12.
* *.install: Updated, some files moved to /usr/libexec.
-- Timo Aaltonen <email address hidden> Wed, 10 Jul 2019 10:14:09 +0300
Please try adding this line:
/usr/
to the file:
/etc/apparmor.
Then, try:
sudo apparmor_parser --replace /etc/apparmor.
sudo systemctl restart sssd
Please report back how well this works.
Thanks
| richard (meusburger) wrote : | #3 |
Applying the fix above to /etc/apparmor.
The 'apparmor_status' output now shows the /usr/libexec/sssd binaries as well:
apparmor module is loaded.
32 profiles are loaded.
32 profiles are in enforce mode.
/snap/
/snap/
/usr/bin/man
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/sbin/sssd
/usr/
/{,usr/
ippusbxd
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_
snap-
snap.
snap.
snap.lxd.buginfo
snap.
snap.lxd.daemon
snap.
snap.
snap.
snap.lxd.lxc
snap.
snap.lxd.lxd
snap.lxd.migrate
0 profiles are in complain mode.
8 processes have profiles defined.
8 processes are in enforce mode.
/usr/
/usr/
/usr/
/usr/sbin/sssd (929)
/usr/
/usr/
/usr/
/usr/
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Thanks for the help!
| Seth Arnold (seth-arnold) wrote : | #4 |
Great, thanks Richard!
| tags: | added: server-next |
| Changed in sssd (Ubuntu): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| Changed in sssd (Ubuntu Focal): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| Changed in sssd (Ubuntu Groovy): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| description: | updated |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package sssd - 2.4.0-1ubuntu3
---------------
sssd (2.4.0-1ubuntu3) hirsute; urgency=medium
* d/apparmor-profile: Update profile. (LP: #1910611)
- Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
- Add read/execute permission to /usr/libexec/
-- Sergio Durigan Junior <email address hidden> Mon, 18 Jan 2021 16:57:21 -0500
| Changed in sssd (Ubuntu Hirsute): | |
| status: | New → Fix Released |
Hello richard, or anyone else affected,
Accepted sssd into groovy-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in sssd (Ubuntu Groovy): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed verification-needed-groovy |
| Changed in sssd (Ubuntu Focal): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed-focal |
| Robie Basak (racb) wrote : | #7 |
Hello richard, or anyone else affected,
Accepted sssd into focal-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Sergio Durigan Junior (sergiodj) wrote : | #8 |
Performing the verification on Focal:
First, confirming that the current sssd manifests the bug:
# apt policy sssd
sssd:
Installed: 2.2.3-3ubuntu0.2
Candidate: 2.2.3-3ubuntu0.2
Version table:
*** 2.2.3-3ubuntu0.2 500
500 http://
100 /var/lib/
2.
500 http://
2.2.3-3 500
500 http://
# aa-enforce sssd
Setting /usr/sbin/sssd to enforce mode.
# systemctl restart sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
# dmesg | grep DENIED
[ 41.098915] audit: type=1400 audit(161158320
[ 41.099185] audit: type=1400 audit(161158320
...
Now, confirming that the sssd on -proposed fixes the problem:
# apt policy sssd
sssd:
Installed: 2.2.3-3ubuntu0.3
Candidate: 2.2.3-3ubuntu0.3
Version table:
*** 2.2.3-3ubuntu0.3 500
500 http://
100 /var/lib/
2.
500 http://
2.
500 http://
2.2.3-3 500
500 http://
# systemctl restart sssd
# echo $?
0
This verifies that the Focal sssd package in -proposed fixes the bug.
| tags: |
added: verification-done-focal removed: verification-needed-focal |
| Sergio Durigan Junior (sergiodj) wrote : | #9 |
Performing the verification on Groovy:
First, confirming that the current sssd manifests the bug:
# apt policy sssd
sssd:
Installed: 2.3.1-3ubuntu2
Candidate: 2.3.1-3ubuntu2
Version table:
*** 2.3.1-3ubuntu2 500
500 http://
100 /var/lib/
2.3.1-3 500
500 http://
# aa-enforce sssd
Setting /usr/sbin/sssd to enforce mode.
# systemctl restart sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
# dmesg | grep DENIED
[ 49.513861] audit: type=1400 audit(161158363
[ 49.514342] audit: type=1400 audit(161158363
...
Now, confirming that the sssd on -proposed fixes the problem:
# apt policy sssd
sssd:
Installed: 2.3.1-3ubuntu3
Candidate: 2.3.1-3ubuntu3
Version table:
*** 2.3.1-3ubuntu3 500
500 http://
100 /var/lib/
2.3.1-3ubuntu2 500
500 http://
2.3.1-3 500
500 http://
# systemctl restart sssd
# echo $?
0
This verifies that the Groovy sssd package in -proposed fixes the bug.
| tags: |
added: verification-done-groovy removed: verification-needed verification-needed-groovy |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package sssd - 2.3.1-3ubuntu3
---------------
sssd (2.3.1-3ubuntu3) groovy; urgency=medium
* d/apparmor-profile: Update profile. (LP: #1910611)
- Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
- Add read/execute permission to /usr/libexec/
-- Sergio Durigan Junior <email address hidden> Mon, 18 Jan 2021 16:56:21 -0500
| Changed in sssd (Ubuntu Groovy): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for sssd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
| Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package sssd - 2.2.3-3ubuntu0.3
---------------
sssd (2.2.3-3ubuntu0.3) focal; urgency=medium
* d/apparmor-profile: Update profile. (LP: #1910611)
- Extend read permissions to /etc/sssd/** and /etc/gss/**.
- Add read/execute permission to /usr/libexec/
-- Sergio Durigan Junior <email address hidden> Mon, 18 Jan 2021 16:30:13 -0500
| Changed in sssd (Ubuntu Focal): | |
| status: | Fix Committed → Fix Released |
Reported issue with SSSD project on Github, and they referred my here.
Reference: https:/