Ubuntu
apparmor package

abstraction/nameservice should include allow access to /var/lib/sss/mc/initgroups

Bug #1751402 reported by Simon Déziel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

From https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/comments/4:

[2794367.925181] apparmor="DENIED" operation="open" profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111 comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The unbound AA profile includes abstractions/nameservice which already has some rules for files under /var/lib/sss/mc. I think that adding "/var/lib/sss/mc/initgroups r" to abstractions/nameservice would make sense:

$ diff -Naur abstractions/nameservice.orig abstractions/nameservice
--- abstractions/nameservice.orig 2018-02-24 02:19:24.310884300 +0000
+++ abstractions/nameservice 2018-02-24 02:20:10.578785312 +0000
@@ -30,6 +30,7 @@
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group r,
   /var/lib/sss/mc/passwd r,
+ /var/lib/sss/mc/initgroups r,
   /var/lib/sss/pipes/nss rw,

   /etc/resolv.conf r,

Revision history for this message
intrigeri (intrigeri) wrote :

FTR this was already added upstream in commit 84cd523d8c which is part of AppArmor v2.12. So i'll be fixed whenever Ubuntu upgrades to 2.12 :)

Changed in apparmor:
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

---------------
apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.