[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: Fix Released Status in AppArmor 2.10 series: Fix Released Status in AppArmor 2.9 series: Fix Released Status in apparmor package in Ubuntu: Fix Released Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r, /etc/libnl-3/classid r, /usr/sbin/sssd rmix, /usr/sbin/sssd/** rmix, /var/log/sssd/** lkrw, /var/lib/sss/** lkrw, /usr/lib/libdns.so.100.2.2 m, /usr/lib/liblwres.so.90.0.7 m, /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m, /usr/lib/x86_64-linux-gnu/samba/ldb/* m, /var/lib/sss/** lkrw, Also, running aa-genprof et al crashes: Reading log entries from
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
** Changed in: apparmor/2.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Released Status in AppArmor 2.9 series: Fix Released Status in apparmor package in Ubuntu: Fix Released Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r, /etc/libnl-3/classid r, /usr/sbin/sssd rmix, /usr/sbin/sssd/** rmix, /var/log/sssd/** lkrw, /var/lib/sss/** lkrw, /usr/lib/libdns.so.100.2.2 m, /usr/lib/liblwres.so.90.0.7 m, /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m, /usr/lib/x86_64-linux-gnu/samba/ldb/* m, /var/lib/sss/** lkrw, Also, running aa-genprof et al crashes: Reading log
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
** Changed in: apparmor/2.9 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Committed Status in AppArmor 2.9 series: Fix Released Status in apparmor package in Ubuntu: Fix Released Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r, /etc/libnl-3/classid r, /usr/sbin/sssd rmix, /usr/sbin/sssd/** rmix, /var/log/sssd/** lkrw, /var/lib/sss/** lkrw, /usr/lib/libdns.so.100.2.2 m, /usr/lib/liblwres.so.90.0.7 m, /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m, /usr/lib/x86_64-linux-gnu/samba/ldb/* m, /var/lib/sss/** lkrw, Also, running aa-genprof et al crashes: Reading log
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
This bug was fixed in the package apparmor - 2.10.95-0ubuntu1 --- apparmor (2.10.95-0ubuntu1) xenial; urgency=medium * Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762) - Allow Apache prefork profile to chown(2) files (LP: #1210514) - Allow deluge-gtk and deluge-console to handle torrents opened in browsers (LP: #1501913) - Allow file accesses needed by some programs using libnl-3-200 (Closes: #810888) - Allow file accesses needed on systems that use NetworkManager without resolvconf (Closes: #813835) - Adjust aa-status(8) to work without python3-apparmor (LP: #1480492) - Fix aa-logprof(8) crash when operating on files containing multiple profiles with certain rules (LP: #1528139) - Fix log parsing crashes, in the Python utilities, caused by certain file related events (LP: #1525119, LP: #1540562) - Fix log parsing crasher, in the Python utilities, caused by certain change_hat events (LP: #1523297) - Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher when Python 3 is not available (LP: #1513880) - Send aa-easyprof(8) error messages to stderr instead of stdout (LP: #1521400) - Fix aa-autodep(8) failure when the shebang line of a script contained parameters (LP: #1505775) - Don't depend on the system logprof.conf when running utils/ build tests (LP: #1393979) - Fix apparmor_parser(8) bugs when parsing profiles that use policy namespaces in the profile declaration or profile transition targets (LP: #1540666, LP: #1544387) - Regression fix for apparmor_parser(8) bug that resulted in the --namespace-string commandline option being ignored causing profiles to be loaded into the root policy namespace (LP: #1526085) - Fix crasher regression in apparmor_parser(8) when the parser was asked to process a directory (LP: #1534405) - Fix bug in apparmor_parser(8) to honor the specified bind flags remount rules (LP: #1272028) - Support tarball generation for Coverity scans and fix a number of issues discovered by Coverity - Fix regression test failures on s390x systems (LP: #1531325) - Adjust expected errno values in changeprofile regression test (LP: #1559705) - The Python utils gained support for ptrace and signal rules - aa-exec(8) received a rewrite in C - apparmor_parser(8) gained support for stacking multiple profiles, as supported by the Xenial kernel (LP: #1379535) - libapparmor gained new public interfaces, aa_stack_profile(2) and aa_stack_onexec(2), allowing applications to utilize the new kernel stacking support (LP: #1379535) * Drop the following patches since they've been incorporated upstream: - aa-status-dont_require_python3-apparmor.patch - r3209-dnsmasq-allow-dash - r3227-locale-indep-capabilities-sorting.patch - r3277-update-python-abstraction.patch - r3366-networkd.patch, - tests-fix_sysctl_test.patch - parser-fix-cache-file-mtime-regression.patch - parser-verify-cache-file-mtime.patch - parser-run-caching-tests-without-apparmorfs.patch - parser-do-cleanup-when-test-was-skipped.patch - parser-allow-unspec-in-network-rules.patch * debian/rules, debian/apparmor.install, debian/apparmor.manpages: Update for new upstream binutils directory and aa-enabled binary - Continue installing aa-exec into /usr/sbin/ for now since click-apparmor's aa-exec-click autopkgtest expects it to be there * debian/libapparmor-dev.manpages: Include the new aa_stack_profile.2 man page * debian/patches/r3424-nscd-profile-allow-paranoia-mode.patch: Allow file access needed for nscd's paranoia mode * debian/patches/r3425-adjust-stacking-tests-version-check.patch: Adjust the regression test build time checks, for libapparmor stacking support, to look for the 2.10.95 versioning rather than 2.11 * debian/patches/r3426-allow-debugedit-to-work-on-apparmor-parser.patch: Remove extra slash in the parser Makefile so that debugedit(8) can work on apparmor_parser(8) (LP: #1561939) * debian/patches/allow-stacking-tests-to-use-system.patch: Adjust the file rules of the new stacking tests so that the generated profiles allow the system binaries and libraries to be tested * debian/libapparmor1.symbols: update symbols file for added symbols in libapparmor -- Tyler HicksSat, 09 Apr 2016 01:35:25 -0500 ** Changed in: apparmor (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Committed Status in AppArmor 2.9 series: Fix Committed Status in apparmor package
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: apparmor (Ubuntu) Status: New => Triaged ** Changed in: apparmor (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Committed Status in AppArmor 2.9 series: Fix Committed Status in apparmor package in Ubuntu: Triaged Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r, /etc/libnl-3/classid r, /usr/sbin/sssd rmix, /usr/sbin/sssd/** rmix, /var/log/sssd/** lkrw, /var/lib/sss/** lkrw, /usr/lib/libdns.so.100.2.2 m, /usr/lib/liblwres.so.90.0.7 m,
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
You can use aa-logprof and, before saving the changes, use "(v)iew Changes" or "View Changes b/w (C)lean profiles" to see the added rules and also the removed rules that are obsoleted by added rules. Afterwards, abort instead of changing the profiles ;-) That said - maybe your idea of a tool that translates a log to a list of missing rules isn't that bad. Let me think about it for a while ;-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Committed Status in AppArmor 2.9 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r, /etc/libnl-3/classid r, /usr/sbin/sssd rmix,
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
Patch commited to bzr (trunk, 2.10 and 2.9 branch) ** Changed in: apparmor Status: In Progress => Fix Committed ** Changed in: apparmor/2.10 Status: In Progress => Fix Committed ** Changed in: apparmor/2.9 Status: In Progress => Fix Committed ** Changed in: apparmor Milestone: None => 2.11 ** Changed in: apparmor/2.10 Milestone: None => 2.10.1 ** Changed in: apparmor/2.9 Milestone: None => 2.9.3 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Committed Status in AppArmor 2.9 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r,
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
** Branch linked: lp:apparmor ** Branch linked: lp:apparmor/2.10 ** Branch linked: lp:apparmor/2.9 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Committed Status in AppArmor 2.9 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r, /etc/libnl-3/classid r, /usr/sbin/sssd rmix, /usr/sbin/sssd/** rmix, /var/log/sssd/** lkrw, /var/lib/sss/** lkrw, /usr/lib/libdns.so.100.2.2 m, /usr/lib/liblwres.so.90.0.7 m, /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m, /usr/lib/x86_64-linux-gnu/samba/ldb/* m, /var/lib/sss/** lkrw, Also, running aa-genprof et al crashes:
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
I think I'm happy that it's been fixed. I was able to figure out the "root cause" for the troubles, so I don't need aa-genprof and aa- logprof at all for this. It is bit bad though that there is no tool that would just show you the rules it would generate instead of updating profile directory. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: Fix Committed Status in AppArmor 2.10 series: Fix Committed Status in AppArmor 2.9 series: Fix Committed Status in apparmor package in Ubuntu: New Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r, /etc/libnl-3/classid r, /usr/sbin/sssd rmix, /usr/sbin/sssd/** rmix, /var/log/sssd/** lkrw, /var/lib/sss/** lkrw, /usr/lib/libdns.so.100.2.2 m,
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
Which AppArmor version are you using? (We had some fixes around the "unknown mode", however your error message indicates that rmask could be empty, which would be something new.) For the crash, please try to find out which log line causes this, and paste or attach it. (Hint: split the log into 2 files, check which one causes the crash, split that again, ...) Bonus points if you checkout the latest AppArmor from bzr and test if it also crashes (cd $checkout_dir/utils && python3 aa-logprof). If it also crashes, please also attach the bugreport file it creates. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in apparmor package in Ubuntu: New Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r,
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
The version is, as provided in the initial message, apparmor version 2.8.95~2430-0ubuntu5.3 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 I was able to make this all work by creating profile for /usr/bin/nsupdate and adding rule /usr/bin/nsupdate rmpx I'll try to see if testing latest AppArmor is doable. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in apparmor package in Ubuntu: New Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r, /etc/libnl-3/classid r, /usr/sbin/sssd rmix,
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
Sorry, I overlooked the version in the initial report. Thanks for the log line! The empty denied_mask is a) strange and b) basically what I expected based on the error message. I can reproduce the crash with the latest code and all maintained branches, so you don't need to test yourself ;-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in apparmor package in Ubuntu: New Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw, /var/tmp/host_* rw, /{,var/}run/sssd.pid rw, # Site-specific additions and overrides. See local/README for details. #include } # Site-specific additions and overrides for usr.sbin.sssd. # For more details, please see /etc/apparmor.d/local/README. capability sys_admin, capability sys_resource, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/psched r, /etc/ld.so.cache r, /etc/libnl-3/classid r, /usr/sbin/sssd rmix, /usr/sbin/sssd/** rmix, /var/log/sssd/** lkrw, /var/lib/sss/** lkrw, /usr/lib/libdns.so.100.2.2 m, /usr/lib/liblwres.so.90.0.7 m, /usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m, /usr/lib/x86_64-linux-gnu/samba/ldb/* m,
[Touch-packages] [Bug 1525119] Re: Cannot permit some operations for sssd
Patch sent to the mailinglist for review - https://lists.ubuntu.com/archives/apparmor/2015-December/008922.html I'm quite sure the Ubuntu package is too old to apply just this patch, so you might want to get the latest code from the bzr 2.9 branch and apply it there. ** Also affects: apparmor Importance: Undecided Status: New ** Also affects: apparmor/2.10 Importance: Undecided Status: New ** Also affects: apparmor/2.9 Importance: Undecided Status: New ** Changed in: apparmor Status: New => In Progress ** Changed in: apparmor/2.10 Status: New => In Progress ** Changed in: apparmor/2.9 Status: New => In Progress ** Changed in: apparmor Assignee: (unassigned) => Christian Boltz (cboltz) ** Changed in: apparmor/2.10 Assignee: (unassigned) => Christian Boltz (cboltz) ** Changed in: apparmor/2.9 Assignee: (unassigned) => Christian Boltz (cboltz) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1525119 Title: Cannot permit some operations for sssd Status in AppArmor: In Progress Status in AppArmor 2.10 series: In Progress Status in AppArmor 2.9 series: In Progress Status in apparmor package in Ubuntu: New Bug description: I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs. apparmor version 2.8.95~2430-0ubuntu5.3 Description:Ubuntu 14.04.3 LTS Release:14.04 The complaints in log: Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45" Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0 Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Current profile: #include /usr/sbin/sssd { #include #include #include #include capability dac_override, capability dac_read_search, capability setgid, capability setuid, capability sys_nice, @{PROC} r, @{PROC}/[0-9]*/status r, /etc/krb5.keytab k, /etc/ldap/ldap.conf r, /etc/localtime r, /etc/shells r, /etc/sssd/sssd.conf r, /usr/sbin/sssd rmix, /usr/lib/@{multiarch}/ldb/modules/ldb/* m, /usr/lib/@{multiarch}/sssd/* rix, /tmp/{,.}krb5cc_* rwk, /var/lib/sss/* rw, /var/lib/sss/db/* rwk, /var/lib/sss/pipes/* rw, /var/lib/sss/pipes/private/* rw, /var/lib/sss/pubconf/* rw, /var/log/sssd/* rw,