Ubuntu
apparmor package

Add /var/lib/sss/mc/{group|passwd} to nameservice abstraction

Bug #1056391 reported by Stéphane Graber
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Stéphane Graber
Ubuntu ubuntu-12.10
Precise
Fix Released
Undecided
Stéphane Graber
Quantal
Fix Released
High
Stéphane Graber
Ubuntu ubuntu-12.10

Bug Description

[rationale]
Systems using sssd experience issue when software runder under apparmor tries to access the authentication cache.

[test case]
1) Setup a system using sssd
2) Restart cups (for example)
3) Check that DENIED lines appear in dmesg for /var/lib/sss/mc/*
4) Update apparmor
5) Flush dmesg (dmesg -c)
6) Restart cups (for example)
7) Confirm that the DENIED entries no longer appear

[regression potential]
Trivial change, allowing read access to an extra two files, don't see any potential regression here. Worst case scenario would be that the software currently impacted by this will crash later on because of another missing rule. So far on my test systems, I haven't seen any such behaviour and even so, it technically wouldn't be a regression but just something else needing fixing.

sssd provides two files for fast access to its cache, /var/lib/sss/mc/group and /var/lib/sss/mc/passwd.

Those are world readable and any process susceptible of doing nss queries should be allowed read rights to these.

=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2012-01-12 12:55:17 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2012-09-25 18:44:33 +0000
@@ -21,6 +21,10 @@
   /etc/passwd r,
   /etc/protocols r,

+ # When using sssd, the passwd and group files are stored in an alternate path
+ /var/lib/sss/mc/group r,
+ /var/lib/sss/mc/passwd r,
+
   /etc/resolv.conf r,
   # on systems using resolvconf, /etc/resolv.conf is a symlink to
   # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in

The fix above seems to be doing the trick here, it's similar to the selinux rule change that had to happen on redhat's side:
https://bugzilla.redhat.com/show_bug.cgi?id=806348

See original description
Revision history for this message
Stéphane Graber (stgraber) wrote :

As I'm mostly using sssd on 12.04 systems, I'm going to also prepare an SRU for this.

Revision history for this message
Stéphane Graber (stgraber) wrote :

Change uploaded to quantal, will be released once the beta2 freeze is lifted.

Changed in apparmor (Ubuntu Quantal):
status: New → In Progress
assignee: nobody → Stéphane Graber (stgraber)
Stéphane Graber (stgraber)
Changed in apparmor (Ubuntu Precise):
status: New → In Progress
assignee: nobody → Stéphane Graber (stgraber)
description: updated
Revision history for this message
Stéphane Graber (stgraber) wrote :

And uploaded to precise-proposed, should be accepted in a few days when an SRU team member gets to it.

Kate Stewart (kate.stewart)
Changed in apparmor (Ubuntu Quantal):
milestone: none → ubuntu-12.10
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu4

---------------
apparmor (2.8.0-0ubuntu4) quantal; urgency=low

  * Allow /var/lib/sss/mc/{group|passwd} for systems using sssd.
    (LP: #1056391)
 -- Stephane Graber <email address hidden> Tue, 25 Sep 2012 14:59:57 -0400

Changed in apparmor (Ubuntu Quantal):
status: In Progress → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote : Please test proposed package

Hello Stéphane, or anyone else affected,

Accepted into precise-proposed. The package will build now and be available in a few hours in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apparmor (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Works as expected.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Scott Kitterman (kitterman) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.2

---------------
apparmor (2.7.102-0ubuntu3.2) precise-proposed; urgency=low

  * Allow /var/lib/sss/mc/{group|passwd} for systems using sssd.
    (LP: #1056391)
 -- Stephane Graber <email address hidden> Tue, 25 Sep 2012 15:26:11 -0400

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released
jeang@online.nl (jeang)
Changed in apparmor (Ubuntu Precise):
assignee: Stéphane Graber (stgraber) → jeang@online.nl (jeang)
Stéphane Graber (stgraber)
Changed in apparmor (Ubuntu Precise):
assignee: jeang@online.nl (jeang) → Stéphane Graber (stgraber)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.