AppArmor

Bug #1910611
Comment #3

Comment 3 for bug 1910611

Revision history for this message

richard (meusburger) wrote on 2021-01-08:

Applying the fix above to /etc/apparmor.d/local/usr.sbin.sssd and running the parser replace fixed the sssd startup issue. I confirmed by returning sssd to 'enforce' mode (aa-enforce /usr/sbin/sssd).

The 'apparmor_status' output now shows the /usr/libexec/sssd binaries as well:

apparmor module is loaded.
32 profiles are loaded.
32 profiles are in enforce mode.
   /snap/snapd/10707/usr/lib/snapd/snap-confine
   /snap/snapd/10707/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/chronyd
   /usr/sbin/rsyslogd
   /usr/sbin/sssd
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   ippusbxd
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.lxd
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
0 profiles are in complain mode.
8 processes have profiles defined.
8 processes are in enforce mode.
   /usr/sbin/chronyd (994)
   /usr/sbin/chronyd (998)
   /usr/sbin/rsyslogd (925)
   /usr/sbin/sssd (929)
   /usr/libexec/sssd/sssd_be (1279) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_nss (1480) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_pam (1481) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_ssh (1484) /usr/sbin/sssd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Thanks for the help!