touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #123668
[Bug 1525119] Re: Cannot permit some operations for sssd
Patch sent to the mailinglist for review -
https://lists.ubuntu.com/archives/apparmor/2015-December/008922.html
I'm quite sure the Ubuntu package is too old to apply just this patch,
so you might want to get the latest code from the bzr 2.9 branch and
apply it there.
** Also affects: apparmor
Importance: Undecided
Status: New
** Also affects: apparmor/2.10
Importance: Undecided
Status: New
** Also affects: apparmor/2.9
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => In Progress
** Changed in: apparmor/2.10
Status: New => In Progress
** Changed in: apparmor/2.9
Status: New => In Progress
** Changed in: apparmor
Assignee: (unassigned) => Christian Boltz (cboltz)
** Changed in: apparmor/2.10
Assignee: (unassigned) => Christian Boltz (cboltz)
** Changed in: apparmor/2.9
Assignee: (unassigned) => Christian Boltz (cboltz)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119
Title:
Cannot permit some operations for sssd
Status in AppArmor:
In Progress
Status in AppArmor 2.10 series:
In Progress
Status in AppArmor 2.9 series:
In Progress
Status in apparmor package in Ubuntu:
New
Bug description:
I am trying to write apparmor profile to match my sssd usage,
unfortunately it seems I cannot tell sssd to permit things it needs.
apparmor version 2.8.95~2430-0ubuntu5.3
Description: Ubuntu 14.04.3 LTS
Release: 14.04
The complaints in log:
Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Current profile:
#include <tunables/global>
/usr/sbin/sssd {
#include <abstractions/base>
#include <abstractions/kerberosclient>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
@{PROC} r,
@{PROC}/[0-9]*/status r,
/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,
/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,
/tmp/{,.}krb5cc_* rwk,
/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,
/{,var/}run/sssd.pid rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.sssd>
}
# Site-specific additions and overrides for usr.sbin.sssd.
# For more details, please see /etc/apparmor.d/local/README.
capability sys_admin,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/psched r,
/etc/ld.so.cache r,
/etc/libnl-3/classid r,
/usr/sbin/sssd rmix,
/usr/sbin/sssd/** rmix,
/var/log/sssd/** lkrw,
/var/lib/sss/** lkrw,
/usr/lib/libdns.so.100.2.2 m,
/usr/lib/liblwres.so.90.0.7 m,
/usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m,
/usr/lib/x86_64-linux-gnu/samba/ldb/* m,
/var/lib/sss/** lkrw,
Also, running aa-genprof et al crashes:
Reading log entries from /var/log/syslog.
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 155, in <module>
lp_ret = apparmor.do_logprof_pass(logmark, passno)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2280, in do_logprof_pass
log = log_reader.read_log(logmark)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 353, in read_log
self.add_event_to_tree(event)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 261, in add_event_to_tree
raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown mode '
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1525119/+subscriptions
References
