Comment 0 for bug 1910611

richard (meusburger) wrote :

sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04.

apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance.

The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)?

Sample apparmor-notif output here:

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss
Operation: open
Name: /proc/33363/cmdline
Denied: r
Logfile: /var/log/audit/audit.log
(1498 found, most recent from 'Wed Dec 30 20:35:19 2020')

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /etc/hosts
Denied: r
Logfile: /var/log/audit/audit.log
(294 found, most recent from 'Thu Dec 31 02:55:41 2020')

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: mknod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: c
Logfile: /var/log/audit/audit.log

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: wrc
Logfile: /var/log/audit/audit.log

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: chmod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: w
Logfile: /var/log/audit/audit.log