Ubuntu
sssd package

sssd missconfigured in apparamor profile

Bug #1421110 reported by Laurent Pointal
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

After last update (11/2/2015) in my Ubuntu Server 14.04, i have my syslog filled with repetition of apparmor messages (see below), adding following lines in /etc/apparmor.d/usr.sbin.sssd help for some of the messages (I investigate for last ones).

 @{PROC}/[0-9]*/net/psched r,
  /etc/libnl-3/classid r,
  /usr/lib/x86_64-linux-gnu/samba/ldb/* m,

Feb 12 08:44:58 neobingo kernel: [172114.878569] type=1400 audit(1423727098.271:7774537): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=31752 comm="apparmor_parser"
Feb 12 08:44:58 neobingo kernel: [172114.920422] type=1400 audit(1423727098.315:7774538): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/31753/net/psched" pid=31753 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 12 08:44:58 neobingo kernel: [172114.920925] type=1400 audit(1423727098.315:7774539): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/etc/libnl-3/classid" pid=31753 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 12 08:44:58 neobingo kernel: [172114.921370] type=1400 audit(1423727098.315:7774540): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/sssd" pid=31753 comm="sssd" capability=21 capname="sys_admin"
Feb 12 08:44:58 neobingo kernel: [172114.932424] type=1400 audit(1423727098.327:7774541): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd" name="/usr/lib/x86_64-linux-gnu/samba/ldb/acl.so" pid=31753 comm="sssd" requested_mask="m" denied_mask=0
Feb 12 08:44:58 neobingo kernel: [172114.944467] type=1400 audit(1423727098.339:7774542): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd" name="/usr/lib/x86_64-linux-gnu/samba/ldb/aclread.so" pid=31753 comm="sssd" requested_mask="m" denied_m0
Feb 12 08:44:58 neobingo kernel: [172114.945151] type=1400 audit(1423727098.339:7774543): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd" name="/usr/lib/x86_64-linux-gnu/samba/ldb/anr.so" pid=31753 comm="sssd" requested_mask="m" denied_mask=0
Feb 12 08:44:58 neobingo kernel: [172114.945550] type=1400 audit(1423727098.339:7774544): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd" name="/usr/lib/x86_64-linux-gnu/samba/ldb/descriptor.so" pid=31753 comm="sssd" requested_mask="m" denie0
Feb 12 08:44:58 neobingo kernel: [172114.946220] type=1400 audit(1423727098.339:7774545): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd" name="/usr/lib/x86_64-linux-gnu/samba/ldb/dirsync.so" pid=31753 comm="sssd" requested_mask="m" denied_m0
Feb 12 08:44:58 neobingo kernel: [172114.946978] type=1400 audit(1423727098.339:7774546): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd" name="/usr/lib/x86_64-linux-gnu/samba/ldb/extended_dn_in.so" pid=31753 comm="sssd" requested_mask="m" d0
Feb 12 08:44:59 neobingo kernel: [172115.667342] init: sssd main process (31753) terminated with status 4
Feb 12 08:44:59 neobingo kernel: [172115.667360] init: sssd main process ended, respawning
Feb 12 08:45:00 neobingo kernel: [172116.761986] init: sssd main process (31761) terminated with status 4
Feb 12 08:45:00 neobingo kernel: [172116.762004] init: sssd main process ended, respawning
Feb 12 08:45:01 neobingo kernel: [172117.807237] init: sssd main process (31769) terminated with status 4
Feb 12 08:45:01 neobingo kernel: [172117.807256] init: sssd main process ended, respawning
Feb 12 08:45:02 neobingo kernel: [172118.932187] init: sssd main process (31777) terminated with status 4
Feb 12 08:45:02 neobingo kernel: [172118.932210] init: sssd main process ended, respawning
Feb 12 08:45:03 neobingo kernel: [172119.994233] init: sssd main process (31785) terminated with status 4
Feb 12 08:45:03 neobingo kernel: [172119.994246] init: sssd main process ended, respawning
Feb 12 08:45:03 neobingo kernel: [172120.213741] audit_printk_skb: 630 callbacks suppressed

Revision history for this message
Laurent Pointal (laurent-pointal) wrote :

One more apparmor config to add:

  capability sys_admin,

tags: added: sssd
tags: added: apparmod
Timo Aaltonen (tjaalton)
no longer affects: apparmor (Ubuntu)
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

thanks, committed changes to git, also some additions I'm seeing with kerberos

Changed in sssd (Ubuntu):
status: New → In Progress
Sasa Paporovic (melchiaros)
tags: added: trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.12.5-2

---------------
sssd (1.12.5-2) unstable; urgency=medium

  * sssd-common.postinst: Remove duplicate logrotate file on update.
    (LP: #1249772)
  * control, libsystemd.diff: Transition to libsystemd, thanks Michael
    Biebl! (Closes: #791909)

 -- Timo Aaltonen <email address hidden> Tue, 21 Jul 2015 15:04:25 +0300

Changed in sssd (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.