sssd startup fails when apparmor in enforcing mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
subiquity |
New
|
Undecided
|
Unassigned |
Bug Description
sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04.
apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance.
The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)?
Sample apparmor-notif output here:
Profile: /usr/sbin/
Operation: open
Name: /proc/33363/cmdline
Denied: r
Logfile: /var/log/
(1498 found, most recent from 'Wed Dec 30 20:35:19 2020')
Profile: /usr/sbin/
Operation: open
Name: /etc/hosts
Denied: r
Logfile: /var/log/
(294 found, most recent from 'Thu Dec 31 02:55:41 2020')
Profile: /usr/sbin/
Operation: mknod
Name: /var/lib/
Denied: c
Logfile: /var/log/
Profile: /usr/sbin/
Operation: open
Name: /var/lib/
Denied: wrc
Logfile: /var/log/
Profile: /usr/sbin/
Operation: chmod
Name: /var/lib/
Denied: w
Logfile: /var/log/
This was meant to be opened in the /apparmor/ project not subiquity.