subject:"\[Touch\-packages\] \[Bug 1525119\] Re\: Cannot permit some operations for sssd"

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2017-01-10 Thread Christian Boltz

** Changed in: apparmor
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  Fix Released
Status in AppArmor 2.10 series:
  Fix Released
Status in AppArmor 2.9 series:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,
  /etc/libnl-3/classid r,

  /usr/sbin/sssd rmix,
  /usr/sbin/sssd/** rmix,
  /var/log/sssd/** lkrw,
  /var/lib/sss/** lkrw,
  /usr/lib/libdns.so.100.2.2 m,
  /usr/lib/liblwres.so.90.0.7 m,
  /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m,
  /usr/lib/x86_64-linux-gnu/samba/ldb/* m,
  /var/lib/sss/** lkrw,

  Also, running aa-genprof et al crashes:

  Reading log entries from

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2016-04-20 Thread John Johansen

** Changed in: apparmor/2.10
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.10 series:
  Fix Released
Status in AppArmor 2.9 series:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,
  /etc/libnl-3/classid r,

  /usr/sbin/sssd rmix,
  /usr/sbin/sssd/** rmix,
  /var/log/sssd/** lkrw,
  /var/lib/sss/** lkrw,
  /usr/lib/libdns.so.100.2.2 m,
  /usr/lib/liblwres.so.90.0.7 m,
  /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m,
  /usr/lib/x86_64-linux-gnu/samba/ldb/* m,
  /var/lib/sss/** lkrw,

  Also, running aa-genprof et al crashes:

  Reading log

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2016-04-15 Thread Christian Boltz

** Changed in: apparmor/2.9
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.10 series:
  Fix Committed
Status in AppArmor 2.9 series:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,
  /etc/libnl-3/classid r,

  /usr/sbin/sssd rmix,
  /usr/sbin/sssd/** rmix,
  /var/log/sssd/** lkrw,
  /var/lib/sss/** lkrw,
  /usr/lib/libdns.so.100.2.2 m,
  /usr/lib/liblwres.so.90.0.7 m,
  /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m,
  /usr/lib/x86_64-linux-gnu/samba/ldb/* m,
  /var/lib/sss/** lkrw,

  Also, running aa-genprof et al crashes:

  Reading log

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2016-04-11 Thread Launchpad Bug Tracker

This bug was fixed in the package apparmor - 2.10.95-0ubuntu1

---
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium

  * Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
- Allow Apache prefork profile to chown(2) files (LP: #1210514)
- Allow deluge-gtk and deluge-console to handle torrents opened in
  browsers (LP: #1501913)
- Allow file accesses needed by some programs using libnl-3-200
  (Closes: #810888)
- Allow file accesses needed on systems that use NetworkManager without
  resolvconf (Closes: #813835)
- Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
- Fix aa-logprof(8) crash when operating on files containing multiple
  profiles with certain rules (LP: #1528139)
- Fix log parsing crashes, in the Python utilities, caused by certain file
  related events (LP: #1525119, LP: #1540562)
- Fix log parsing crasher, in the Python utilities, caused by certain
  change_hat events (LP: #1523297)
- Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
  when Python 3 is not available (LP: #1513880)
- Send aa-easyprof(8) error messages to stderr instead of stdout
  (LP: #1521400)
- Fix aa-autodep(8) failure when the shebang line of a script contained
  parameters (LP: #1505775)
- Don't depend on the system logprof.conf when running utils/ build tests
  (LP: #1393979)
- Fix apparmor_parser(8) bugs when parsing profiles that use policy
  namespaces in the profile declaration or profile transition targets
  (LP: #1540666, LP: #1544387)
- Regression fix for apparmor_parser(8) bug that resulted in the
  --namespace-string commandline option being ignored causing profiles to
  be loaded into the root policy namespace (LP: #1526085)
- Fix crasher regression in apparmor_parser(8) when the parser was asked
  to process a directory (LP: #1534405)
- Fix bug in apparmor_parser(8) to honor the specified bind flags remount
  rules (LP: #1272028)
- Support tarball generation for Coverity scans and fix a number of issues
  discovered by Coverity
- Fix regression test failures on s390x systems (LP: #1531325)
- Adjust expected errno values in changeprofile regression test
  (LP: #1559705)
- The Python utils gained support for ptrace and signal rules
- aa-exec(8) received a rewrite in C
- apparmor_parser(8) gained support for stacking multiple profiles, as
  supported by the Xenial kernel (LP: #1379535)
- libapparmor gained new public interfaces, aa_stack_profile(2) and
  aa_stack_onexec(2), allowing applications to utilize the new kernel
  stacking support (LP: #1379535)
  * Drop the following patches since they've been incorporated upstream:
- aa-status-dont_require_python3-apparmor.patch
- r3209-dnsmasq-allow-dash
- r3227-locale-indep-capabilities-sorting.patch
- r3277-update-python-abstraction.patch
- r3366-networkd.patch,
- tests-fix_sysctl_test.patch
- parser-fix-cache-file-mtime-regression.patch
- parser-verify-cache-file-mtime.patch
- parser-run-caching-tests-without-apparmorfs.patch
- parser-do-cleanup-when-test-was-skipped.patch
- parser-allow-unspec-in-network-rules.patch
  * debian/rules, debian/apparmor.install, debian/apparmor.manpages: Update
for new upstream binutils directory and aa-enabled binary
- Continue installing aa-exec into /usr/sbin/ for now since
  click-apparmor's aa-exec-click autopkgtest expects it to be there
  * debian/libapparmor-dev.manpages: Include the new aa_stack_profile.2 man
page
  * debian/patches/r3424-nscd-profile-allow-paranoia-mode.patch: Allow file
access needed for nscd's paranoia mode
  * debian/patches/r3425-adjust-stacking-tests-version-check.patch: Adjust the
regression test build time checks, for libapparmor stacking support, to
look for the 2.10.95 versioning rather than 2.11
  * debian/patches/r3426-allow-debugedit-to-work-on-apparmor-parser.patch:
Remove extra slash in the parser Makefile so that debugedit(8) can work on
apparmor_parser(8) (LP: #1561939)
  * debian/patches/allow-stacking-tests-to-use-system.patch: Adjust the file
rules of the new stacking tests so that the generated profiles allow the
system binaries and libraries to be tested
  * debian/libapparmor1.symbols: update symbols file for added symbols
in libapparmor

 -- Tyler Hicks   Sat, 09 Apr 2016 01:35:25 -0500

** Changed in: apparmor (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.10 series:
  Fix Committed
Status in AppArmor 2.9 series:
  Fix Committed
Status in apparmor package

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2016-03-19 Thread Tyler Hicks

** Changed in: apparmor (Ubuntu)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: apparmor (Ubuntu)
   Status: New => Triaged

** Changed in: apparmor (Ubuntu)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.10 series:
  Fix Committed
Status in AppArmor 2.9 series:
  Fix Committed
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,
  /etc/libnl-3/classid r,

  /usr/sbin/sssd rmix,
  /usr/sbin/sssd/** rmix,
  /var/log/sssd/** lkrw,
  /var/lib/sss/** lkrw,
  /usr/lib/libdns.so.100.2.2 m,
  /usr/lib/liblwres.so.90.0.7 m,

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2015-12-13 Thread Christian Boltz

You can use aa-logprof and, before saving the changes, use "(v)iew
Changes" or "View Changes b/w (C)lean profiles" to see the added rules
and also the removed rules that are obsoleted by added rules.
Afterwards, abort instead of changing the profiles ;-)

That said - maybe your idea of a tool that translates a log to a list of
missing rules isn't that bad. Let me think about it for a while ;-)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.10 series:
  Fix Committed
Status in AppArmor 2.9 series:
  Fix Committed
Status in apparmor package in Ubuntu:
  New

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,
  /etc/libnl-3/classid r,

  /usr/sbin/sssd rmix,

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2015-12-12 Thread Christian Boltz

Patch commited to bzr (trunk, 2.10 and 2.9 branch)

** Changed in: apparmor
   Status: In Progress => Fix Committed

** Changed in: apparmor/2.10
   Status: In Progress => Fix Committed

** Changed in: apparmor/2.9
   Status: In Progress => Fix Committed

** Changed in: apparmor
Milestone: None => 2.11

** Changed in: apparmor/2.10
Milestone: None => 2.10.1

** Changed in: apparmor/2.9
Milestone: None => 2.9.3

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.10 series:
  Fix Committed
Status in AppArmor 2.9 series:
  Fix Committed
Status in apparmor package in Ubuntu:
  New

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2015-12-12 Thread Launchpad Bug Tracker

** Branch linked: lp:apparmor

** Branch linked: lp:apparmor/2.10

** Branch linked: lp:apparmor/2.9

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.10 series:
  Fix Committed
Status in AppArmor 2.9 series:
  Fix Committed
Status in apparmor package in Ubuntu:
  New

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,
  /etc/libnl-3/classid r,

  /usr/sbin/sssd rmix,
  /usr/sbin/sssd/** rmix,
  /var/log/sssd/** lkrw,
  /var/lib/sss/** lkrw,
  /usr/lib/libdns.so.100.2.2 m,
  /usr/lib/liblwres.so.90.0.7 m,
  /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m,
  /usr/lib/x86_64-linux-gnu/samba/ldb/* m,
  /var/lib/sss/** lkrw,

  Also, running aa-genprof et al crashes:

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2015-12-12 Thread Aki Tuomi

I think I'm happy that it's been fixed. I was able to figure out the
"root cause" for the troubles, so I don't need aa-genprof and  aa-
logprof at all for this. It is bit bad though that there is no tool that
would just show you the rules it would generate instead of updating
profile directory.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.10 series:
  Fix Committed
Status in AppArmor 2.9 series:
  Fix Committed
Status in apparmor package in Ubuntu:
  New

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,
  /etc/libnl-3/classid r,

  /usr/sbin/sssd rmix,
  /usr/sbin/sssd/** rmix,
  /var/log/sssd/** lkrw,
  /var/lib/sss/** lkrw,
  /usr/lib/libdns.so.100.2.2 m,

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2015-12-11 Thread Christian Boltz

Which AppArmor version are you using? (We had some fixes around the
"unknown mode", however your error message indicates that rmask could be
empty, which would be something new.)

For the crash, please try to find out which log line causes this, and
paste or attach it. (Hint: split the log into 2 files, check which one
causes the crash, split that again, ...)

Bonus points if you checkout the latest AppArmor from bzr and test if it
also crashes (cd $checkout_dir/utils && python3 aa-logprof). If it also
crashes, please also attach the bugreport file it creates.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in apparmor package in Ubuntu:
  New

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2015-12-11 Thread Aki Tuomi

The version is, as provided in the initial message,

apparmor version 2.8.95~2430-0ubuntu5.3

Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log"
pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0

I was able to make this all work by creating profile for
/usr/bin/nsupdate and adding rule /usr/bin/nsupdate rmpx

I'll try to see if testing latest AppArmor is doable.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in apparmor package in Ubuntu:
  New

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,
  /etc/libnl-3/classid r,

  /usr/sbin/sssd rmix,

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2015-12-11 Thread Christian Boltz

Sorry, I overlooked the version in the initial report.

Thanks for the log line!
The empty denied_mask is a) strange and b) basically what I expected based on 
the error message.

I can reproduce the crash with the latest code and all maintained
branches, so you don't need to test yourself ;-)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in apparmor package in Ubuntu:
  New

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,

/{,var/}run/sssd.pid rw,

# Site-specific additions and overrides. See local/README for details.
#include 
  }
  # Site-specific additions and overrides for usr.sbin.sssd.
  # For more details, please see /etc/apparmor.d/local/README.

  capability sys_admin,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{PROC}/[0-9]*/net/psched r,

  /etc/ld.so.cache r,
  /etc/libnl-3/classid r,

  /usr/sbin/sssd rmix,
  /usr/sbin/sssd/** rmix,
  /var/log/sssd/** lkrw,
  /var/lib/sss/** lkrw,
  /usr/lib/libdns.so.100.2.2 m,
  /usr/lib/liblwres.so.90.0.7 m,
  /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m,
  /usr/lib/x86_64-linux-gnu/samba/ldb/* m,

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

2015-12-11 Thread Christian Boltz

Patch sent to the mailinglist for review -
https://lists.ubuntu.com/archives/apparmor/2015-December/008922.html

I'm quite sure the Ubuntu package is too old to apply just this patch,
so you might want to get the latest code from the bzr 2.9 branch and
apply it there.

** Also affects: apparmor
   Importance: Undecided
   Status: New

** Also affects: apparmor/2.10
   Importance: Undecided
   Status: New

** Also affects: apparmor/2.9
   Importance: Undecided
   Status: New

** Changed in: apparmor
   Status: New => In Progress

** Changed in: apparmor/2.10
   Status: New => In Progress

** Changed in: apparmor/2.9
   Status: New => In Progress

** Changed in: apparmor
 Assignee: (unassigned) => Christian Boltz (cboltz)

** Changed in: apparmor/2.10
 Assignee: (unassigned) => Christian Boltz (cboltz)

** Changed in: apparmor/2.9
 Assignee: (unassigned) => Christian Boltz (cboltz)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119

Title:
  Cannot permit some operations for sssd

Status in AppArmor:
  In Progress
Status in AppArmor 2.10 series:
  In Progress
Status in AppArmor 2.9 series:
  In Progress
Status in apparmor package in Ubuntu:
  New

Bug description:
  I am trying to write apparmor profile to match my sssd usage,
  unfortunately it seems I cannot tell sssd to permit things it needs.

  apparmor version 2.8.95~2430-0ubuntu5.3

  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  The complaints in log:
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" 
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" 
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" 
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
  Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Current profile:
  #include 

  /usr/sbin/sssd {
#include 
#include 
#include 
#include 

capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,

@{PROC} r,
@{PROC}/[0-9]*/status r,

/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,

/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,

/tmp/{,.}krb5cc_* rwk,

/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd

13 matches

Site Navigation

Mail list logo

Footer information