sssd startup fails when apparmor in enforcing mode

Bug #1910610 reported by richard on 2021-01-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
subiquity
Undecided
Unassigned

Bug Description

sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04.

apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance.

The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)?

Sample apparmor-notif output here:

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss
Operation: open
Name: /proc/33363/cmdline
Denied: r
Logfile: /var/log/audit/audit.log
(1498 found, most recent from 'Wed Dec 30 20:35:19 2020')

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /etc/hosts
Denied: r
Logfile: /var/log/audit/audit.log
(294 found, most recent from 'Thu Dec 31 02:55:41 2020')

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: mknod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: c
Logfile: /var/log/audit/audit.log

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: wrc
Logfile: /var/log/audit/audit.log

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: chmod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: w
Logfile: /var/log/audit/audit.log

richard (meusburger) wrote :

This was meant to be opened in the /apparmor/ project not subiquity.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers