Public bug reported:
Because /var/log/syslog gets bloated with sssd apparmor related
messages, I put the following in /etc/apparmor.d/local/usr.sbin.sssd
then I changed sssd from 'complain' to 'enforcing' mode. I put this on
a heavy sssd vm running freeipa server that also is running the gui with
mate. I can't promise I found all the cases, but I don't see any
'apparmor' messages in the logs on the freeipa servers after a couple
days.
signal (send) peer="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pac",
/usr/sbin/sssd ixr,
/usr/libexec/sssd/sssd_be ixr,
/etc/krb5.conf.d/** r,
/etc/krb5.conf.d/ r,
/etc/krb5.conf.d r,
/etc/sssd r,
/etc/sssd/ r,
/etc/sssd/** r,
/usr/share/sssd r,
/usr/share/sssd/ r,
/usr/share/sssd/** r,
/usr/libexec/sssd/sssd_pac ixr,
/etc/gss/mech.d/ r,
/etc/gss/mech.d/** r,
/usr/libexec/sssd/ldap_child ixr,
dbus send bus="system" path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers",
There are thousands of varied examples you'll see in the logs, generally along
the lines of
Jun 23 06:41:55 registry2 kernel: [56263.674613] audit: type=1400
audit(1592912515.202:2329356): apparmor="DENIED" operation="signal"
profile="/usr/sbin/sssd" pid=1058 comm="sssd" requested_mask="send"
denied_mask="send" signal=term
peer="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pac
I'm not a 'deep interest' apparmor dev, no doubt the above list could be
improved.
HTH
Harry
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884980
Title:
patch so apparmor complain->enforcing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1884980/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
