Cannot permit some operations for sssd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Christian Boltz | ||
2.10 |
Fix Released
|
Undecided
|
Christian Boltz | ||
2.9 |
Fix Released
|
Undecided
|
Christian Boltz | ||
apparmor (Ubuntu) |
Fix Released
|
Low
|
Tyler Hicks |
Bug Description
I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs.
apparmor version 2.8.95~
Description: Ubuntu 14.04.3 LTS
Release: 14.04
The complaints in log:
Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(144982224
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(144982224
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(144982224
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(144982224
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(144982224
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(144982224
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(144982224
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(144982224
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(144982224
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(144982224
Current profile:
#include <tunables/global>
/usr/sbin/sssd {
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
#include <abstractions/
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
@{PROC} r,
@{PROC}
/etc/krb5.keytab k,
/etc/
/etc/localtime r,
/etc/shells r,
/etc/
/usr/sbin/sssd rmix,
/usr/
/usr/
/tmp/{,.}krb5cc_* rwk,
/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/
/var/
/var/
/var/log/sssd/* rw,
/var/tmp/host_* rw,
/{,var/
# Site-specific additions and overrides. See local/README for details.
#include <local/
}
# Site-specific additions and overrides for usr.sbin.sssd.
# For more details, please see /etc/apparmor.
capability sys_admin,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{PROC}
/etc/ld.so.cache r,
/etc/libnl-
/usr/sbin/sssd rmix,
/usr/sbin/sssd/** rmix,
/var/log/sssd/** lkrw,
/var/lib/sss/** lkrw,
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/var/lib/sss/** lkrw,
Also, running aa-genprof et al crashes:
Reading log entries from /var/log/syslog.
Traceback (most recent call last):
File "/usr/sbin/
lp_ret = apparmor.
File "/usr/lib/
log = log_reader.
File "/usr/lib/
self.
File "/usr/lib/
raise AppArmorExcepti
apparmor.
Changed in apparmor (Ubuntu): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
Which AppArmor version are you using? (We had some fixes around the "unknown mode", however your error message indicates that rmask could be empty, which would be something new.)
For the crash, please try to find out which log line causes this, and paste or attach it. (Hint: split the log into 2 files, check which one causes the crash, split that again, ...)
Bonus points if you checkout the latest AppArmor from bzr and test if it also crashes (cd $checkout_dir/utils && python3 aa-logprof). If it also crashes, please also attach the bugreport file it creates.