Add /var/lib/sss/mc/{group|passwd} to nameservice abstraction
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
High
|
Stéphane Graber | ||
Precise |
Fix Released
|
Undecided
|
Stéphane Graber | ||
Quantal |
Fix Released
|
High
|
Stéphane Graber |
Bug Description
[rationale]
Systems using sssd experience issue when software runder under apparmor tries to access the authentication cache.
[test case]
1) Setup a system using sssd
2) Restart cups (for example)
3) Check that DENIED lines appear in dmesg for /var/lib/sss/mc/*
4) Update apparmor
5) Flush dmesg (dmesg -c)
6) Restart cups (for example)
7) Confirm that the DENIED entries no longer appear
[regression potential]
Trivial change, allowing read access to an extra two files, don't see any potential regression here. Worst case scenario would be that the software currently impacted by this will crash later on because of another missing rule. So far on my test systems, I haven't seen any such behaviour and even so, it technically wouldn't be a regression but just something else needing fixing.
sssd provides two files for fast access to its cache, /var/lib/
Those are world readable and any process susceptible of doing nss queries should be allowed read rights to these.
=== modified file 'profiles/
--- profiles/
+++ profiles/
@@ -21,6 +21,10 @@
/etc/passwd r,
/etc/protocols r,
+ # When using sssd, the passwd and group files are stored in an alternate path
+ /var/lib/
+ /var/lib/
+
/etc/resolv.conf r,
# on systems using resolvconf, /etc/resolv.conf is a symlink to
# /{,var/
The fix above seems to be doing the trick here, it's similar to the selinux rule change that had to happen on redhat's side:
https:/
Changed in apparmor (Ubuntu Precise): | |
status: | New → In Progress |
assignee: | nobody → Stéphane Graber (stgraber) |
description: | updated |
Changed in apparmor (Ubuntu Quantal): | |
milestone: | none → ubuntu-12.10 |
importance: | Undecided → High |
Changed in apparmor (Ubuntu Precise): | |
assignee: | Stéphane Graber (stgraber) → jeang@online.nl (jeang) |
Changed in apparmor (Ubuntu Precise): | |
assignee: | jeang@online.nl (jeang) → Stéphane Graber (stgraber) |
As I'm mostly using sssd on 12.04 systems, I'm going to also prepare an SRU for this.