sssd startup fails when apparmor in enforcing mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | ||
sssd (Ubuntu) |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Focal |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Groovy |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Hirsute |
Fix Released
|
Undecided
|
Sergio Durigan Junior |
Bug Description
[ Impact ]
sssd users on Focal, Groovy and Hirsute can experience problems when setting sssd's apparmor profile to "Enforce" mode. In this scenario, apparmor will prevent sssd from being able to execute programs under the /usr/libexec/sssd/* path, which will cause the sssd service to fail to start.
Aside from the deny mentioned above, the sssd apparmor profile also needs to be updated to reflect the fact that sssd will also need to have read access to files under the /etc/sssd/conf.d/* and /etc/gss/mech.d/* directories.
[ Test Case ]
Using an LXD VM, one can:
$ lxc launch image:ubuntu/focal sssd-bug1910611-focal --vm
$ lxc shell sssd-bug1910611-focal
# apt update && apt install apparmor-utils sssd -y
...
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
config_file_version = 2
domains = example.com
[domain/
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://
cache_credentials = True
ldap_search_base = dc=example,dc=com
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# aa-enforce sssd
Setting /usr/sbin/sssd to enforce mode.
# systemctl restart sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
# dmesg | grep DENIED
...
[ 2011.510479] audit: type=1400 audit(161100789
[ 2011.511822] audit: type=1400 audit(161100789
The instructions above can be replicated to test things on Groovy and Hirsute.
[ Regression Potential ]
Very little regression potential, since we are expanding the apparmor permissions of sssd, and not reducing them.
* If the user already has apparmor enabled for sssd, she will most likely have addressed these issues by herself, which means that this change will just be a duplicate of what is already on the system.
* If the user does not have apparmor enabled, then nothing will change.
[ Original Description ]
sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04.
apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance.
The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)?
Sample apparmor-notif output here:
Profile: /usr/sbin/
Operation: open
Name: /proc/33363/cmdline
Denied: r
Logfile: /var/log/
(1498 found, most recent from 'Wed Dec 30 20:35:19 2020')
Profile: /usr/sbin/
Operation: open
Name: /etc/hosts
Denied: r
Logfile: /var/log/
(294 found, most recent from 'Thu Dec 31 02:55:41 2020')
Profile: /usr/sbin/
Operation: mknod
Name: /var/lib/
Denied: c
Logfile: /var/log/
Profile: /usr/sbin/
Operation: open
Name: /var/lib/
Denied: wrc
Logfile: /var/log/
Profile: /usr/sbin/
Operation: chmod
Name: /var/lib/
Denied: w
Logfile: /var/log/
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 294 lines (+228/-2)5 files modifieddebian/changelog (+139/-0)
debian/control (+3/-2)
debian/patches/fix-python-tests.patch (+83/-0)
debian/patches/series (+1/-0)
debian/rules (+2/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 36 lines (+13/-0)2 files modifieddebian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 36 lines (+13/-0)2 files modifieddebian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
- Christian Ehrhardt (community): Needs Fixing
- Canonical Server: Pending requested
-
Diff: 36 lines (+13/-0)2 files modifieddebian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
tags: | added: server-next |
Changed in sssd (Ubuntu): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in sssd (Ubuntu Focal): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in sssd (Ubuntu Groovy): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
description: | updated |
Changed in apparmor: | |
status: | New → Fix Released |
Reported issue with SSSD project on Github, and they referred my here. /github. com/SSSD/ sssd/issues/ 5446
Reference: https:/