abstraction/nameservice should include allow access to /var/lib/sss/mc/initgroups

Bug #1751402 reported by Simon Déziel on 2018-02-24
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

From https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/comments/4:

[2794367.925181] apparmor="DENIED" operation="open" profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111 comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The unbound AA profile includes abstractions/nameservice which already has some rules for files under /var/lib/sss/mc. I think that adding "/var/lib/sss/mc/initgroups r" to abstractions/nameservice would make sense:

$ diff -Naur abstractions/nameservice.orig abstractions/nameservice
--- abstractions/nameservice.orig 2018-02-24 02:19:24.310884300 +0000
+++ abstractions/nameservice 2018-02-24 02:20:10.578785312 +0000
@@ -30,6 +30,7 @@
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group r,
   /var/lib/sss/mc/passwd r,
+ /var/lib/sss/mc/initgroups r,
   /var/lib/sss/pipes/nss rw,

   /etc/resolv.conf r,

intrigeri (intrigeri) wrote :

FTR this was already added upstream in commit 84cd523d8c which is part of AppArmor v2.12. So i'll be fixed whenever Ubuntu upgrades to 2.12 :)

Changed in apparmor:
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers