incorrect path in apparmor profile prevents sssd from working

Bug #1175317 reported by Oliver Brakmann on 2013-05-01
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
High
Timo Aaltonen
Raring
High
Unassigned

Bug Description

[Impact]

helper processes can't start due to a bug in the apparmor profile

[Test case]

configure the daemon and see how the helpers fail to start

[Regression potential]

none really, it is an obvious bug in the profile

--

An incorrect path statement in sssd's apparmor profile prevents sssd from forking its helper services. The corresponding log messages look like this:

/var/log/syslog:
May 1 21:55:17 ares sssd: Starting up
May 1 21:55:18 ares kernel: [ 23.115299] type=1400 audit(1367438118.048:16): apparmor="DENIED" operation="exec" parent=925 profile="/usr/sbin/sssd" name="/usr/lib/x86_64-linux-gnu/sssd/sssd_be" pid=929 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
May 1 21:55:18 ares kernel: [ 23.152108] type=1400 audit(1367438118.088:17): apparmor="DENIED" operation="exec" parent=925 profile="/usr/sbin/sssd" name="/usr/lib/x86_64-linux-gnu/sssd/sssd_be" pid=930 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
May 1 21:55:24 ares kernel: [ 29.156118] type=1400 audit(1367438124.092:48): apparmor="DENIED" operation="exec" parent=925 profile="/usr/sbin/sssd" name="/usr/lib/x86_64-linux-gnu/sssd/sssd_be" pid=1293 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

/etc/apparmor.d/usr.sbin.sssd contains this line:

  /usr/lib/sssd/sssd/* rix,

It has to be changed to look like this to make sssd work again:
  /usr/lib/@{multiarch}/sssd/* rix,

The bug affects Ubuntu 13.04 (and probably Saucy) only.

Timo Aaltonen (tjaalton) wrote :

Thanks! This is probably why it fails to upgrade properly, as reported on irc/ml..

Changed in sssd (Ubuntu):
assignee: nobody → Timo Aaltonen (tjaalton)
importance: Undecided → High
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.9.5-0ubuntu3

---------------
sssd (1.9.5-0ubuntu3) saucy; urgency=low

  * Merge from unreleased Debian git.
    - apparmor-profile: Fix the profile to use the multiarch path for
      it's helper location (LP: #1175317).
 -- Timo Aaltonen <email address hidden> Thu, 02 May 2013 15:52:19 +0300

Changed in sssd (Ubuntu):
status: In Progress → Fix Released
Timo Aaltonen (tjaalton) wrote :

uploaded to raring-proposed, need to be accepted before it's installable there

Changed in sssd (Ubuntu Raring):
importance: Undecided → High
status: New → In Progress

Thanks for uploading the fix for this bug report to -proposed. However, when reviewing the package in -proposed and the details of this bug report I noticed that the bug description is missing information required for the SRU process. You can find full details at http://wiki.ubuntu.com/StableReleaseUpdates#Procedure but essentially this bug is missing some of the following: a statement of impact, a test case and details regarding the regression potential. Thanks in advance!

Timo Aaltonen (tjaalton) on 2013-07-01
description: updated

Hello Oliver, or anyone else affected,

Accepted sssd into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sssd/1.9.4-0ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Raring):
status: In Progress → Fix Committed
tags: added: verification-needed
Oliver Brakmann (obrakmann) wrote :

Hello,

I'm sorry, but the -proposed package does not work.

The apparmor profile now says

    /usr/lib/@{multiarch}/sssd/sssd/* rix,

but the correct statement is this, as mentioned above in my original report:

    /usr/lib/@{multiarch}/sssd/* rix,

ie. only one "sssd" in the path.

Timo Aaltonen (tjaalton) wrote :

I don't know where you see that, but the file on the packaging git has

 /usr/lib/@{multiarch}/sssd/* rix,

so please check again?

Oliver Brakmann (obrakmann) wrote :

Hi Timo,

I see it on my system :-)

I just checked the .deb in the APT cache just to be sure that the file really is from the package and not modified by me. But it really is from the package.

See the diff from sssd_1.9.4-0ubuntu4 to sssd_1.9.4-0ubuntu4.1:
https://launchpadlibrarian.net/144234903/sssd_1.9.4-0ubuntu4_1.9.4-0ubuntu4.1.diff.gz

Timo Aaltonen (tjaalton) wrote :

huh, indeed.. somehow the raring branch got the wrong path

fixed and uploaded!

Brian Murray (brian-murray) wrote :

I've approved the new upload of sssd, sorry about the delay.

Oliver Brakmann (obrakmann) wrote :

I confirm that 1.9.4-0ubuntu4.2 fixes the issue.

Thanks all!

tags: added: verification-done
removed: verification-needed
Adam Conrad (adconrad) on 2014-05-17
Changed in sssd (Ubuntu Raring):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers