sssd's apparmor profile needs chown capability

Bug #1699576 reported by Andreas Hasenack on 2017-06-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Andreas Hasenack

Bug Description

When starting sssd, we can see warning in the logs when apparmor is in complain mode:

Jun 21 18:36:52 15-89 kernel: [ 1641.660315] audit: type=1400 audit(1498070212.069:72): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/sssd" pid=26257 comm="sssd" capability=0 capname="chown"

In enforce mode sssd fails to start:
# service sssd start
Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details.

Jun 21 18:37:31 15-89 systemd[1]: Starting System Security Services Daemon...
Jun 21 18:37:31 15-89 kernel: [ 1681.480758] audit: type=1400 audit(1498070251.885:74): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=26919 comm="sssd" capability=0 capname="chown"
Jun 21 18:37:31 15-89 sssd: Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the owner and owned by root.root.
Jun 21 18:37:31 15-89 systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Jun 21 18:37:31 15-89 systemd[1]: Failed to start System Security Services Daemon.
Jun 21 18:37:31 15-89 systemd[1]: sssd.service: Unit entered failed state.
Jun 21 18:37:31 15-89 systemd[1]: sssd.service: Failed with result 'exit-code'.

Changed in sssd (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: New → In Progress
importance: Undecided → Low
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.15.2-1ubuntu2

sssd (1.15.2-1ubuntu2) artful; urgency=medium

  * d/apparmor-profile:
    - allow the chown capability (LP: #1699576)
    - allow sssd to notify systemd during startup (LP: #1689387)

 -- Andreas Hasenack <email address hidden> Wed, 21 Jun 2017 15:50:35 -0300

Changed in sssd (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers