[Touch-packages] [Bug 1525119] [NEW] Cannot permit some operations for sssd
Public bug reported:
I am trying to write apparmor profile to match my sssd usage,
unfortunately it seems I cannot tell sssd to permit things it needs.
apparmor version 2.8.95~2430-0ubuntu5.3
Description:Ubuntu 14.04.3 LTS
Release:14.04
The complaints in log:
Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec"
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x"
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr"
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Current profile:
#include
/usr/sbin/sssd {
#include
#include
#include
#include
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
@{PROC} r,
@{PROC}/[0-9]*/status r,
/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,
/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,
/tmp/{,.}krb5cc_* rwk,
/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,
/{,var/}run/sssd.pid rw,
# Site-specific additions and overrides. See local/README for details.
#include
}
# Site-specific additions and overrides for usr.sbin.sssd.
# For more details, please see /etc/apparmor.d/local/README.
capability sys_admin,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/psched r,
/etc/ld.so.cache r,
/etc/libnl-3/classid r,
/usr/sbin/sssd rmix,
/usr/sbin/sssd/** rmix,
/var/log/sssd/** lkrw,
/var/lib/sss/** lkrw,
/usr/lib/libdns.so.100.2.2 m,
/usr/lib/liblwres.so.90.0.7 m,
/usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m,
/usr/lib/x86_64-linux-gnu/samba/ldb/* m,
/var/lib/sss/** lkrw,
Also, running aa-genprof et al crashes:
Reading log entries from /var/log/syslog.
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 155, in
lp_ret = apparmor.do_logprof_pass(logmark, passno)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2280, in
do_logprof_pass
log = log_reader.read_log(logmark)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 353, in
read_log
self.add_event_to_tree(event)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 261, in
add_event_to_tree
raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
The version is, as provided in the initial message,
apparmor version 2.8.95~2430-0ubuntu5.3
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log"
pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
I was able to make this all work by creating profile for
/usr/bin/nsupdate and adding rule /usr/bin/nsupdate rmpx
I'll try to see if testing latest AppArmor is doable.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119
Title:
Cannot permit some operations for sssd
Status in apparmor package in Ubuntu:
New
Bug description:
I am trying to write apparmor profile to match my sssd usage,
unfortunately it seems I cannot tell sssd to permit things it needs.
apparmor version 2.8.95~2430-0ubuntu5.3
Description:Ubuntu 14.04.3 LTS
Release:14.04
The complaints in log:
Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec"
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x"
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr"
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Current profile:
#include
/usr/sbin/sssd {
#include
#include
#include
#include
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
@{PROC} r,
@{PROC}/[0-9]*/status r,
/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,
/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,
/tmp/{,.}krb5cc_* rwk,
/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,
/{,var/}run/sssd.pid rw,
# Site-specific additions and overrides. See local/README for details.
#include
}
# Site-specific additions and overrides for usr.sbin.sssd.
# For more details, please see /etc/apparmor.d/local/README.
capability sys_admin,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/psched r,
/etc/ld.so.cache r,
/etc/libnl-3/classid r,
/usr/sbin/sssd rmix,
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
I think I'm happy that it's been fixed. I was able to figure out the
"root cause" for the troubles, so I don't need aa-genprof and aa-
logprof at all for this. It is bit bad though that there is no tool that
would just show you the rules it would generate instead of updating
profile directory.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119
Title:
Cannot permit some operations for sssd
Status in AppArmor:
Fix Committed
Status in AppArmor 2.10 series:
Fix Committed
Status in AppArmor 2.9 series:
Fix Committed
Status in apparmor package in Ubuntu:
New
Bug description:
I am trying to write apparmor profile to match my sssd usage,
unfortunately it seems I cannot tell sssd to permit things it needs.
apparmor version 2.8.95~2430-0ubuntu5.3
Description:Ubuntu 14.04.3 LTS
Release:14.04
The complaints in log:
Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec"
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x"
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr"
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Current profile:
#include
/usr/sbin/sssd {
#include
#include
#include
#include
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
@{PROC} r,
@{PROC}/[0-9]*/status r,
/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,
/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,
/tmp/{,.}krb5cc_* rwk,
/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,
/{,var/}run/sssd.pid rw,
# Site-specific additions and overrides. See local/README for details.
#include
}
# Site-specific additions and overrides for usr.sbin.sssd.
# For more details, please see /etc/apparmor.d/local/README.
capability sys_admin,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/psched r,
/etc/ld.so.cache r,
/etc/libnl-3/classid r,
/usr/sbin/sssd rmix,
/usr/sbin/sssd/** rmix,
/var/log/sssd/** lkrw,
/var/lib/sss/** lkrw,
/usr/lib/libdns.so.100.2.2 m,
/us
