[Touch-packages] [Bug 1934390] [NEW] Apparmor prevents locking of /var/tmp/krb5* file for slapd

Thu, 01 Jul 2021 10:35:36 -0700 

Public bug reported:

Kerbeross5 with LDAP backed and GSSAPI connectivity fails due the
Apparmor profile for slapd that doesn't include possibility to give read
and lock rights to slapd process.

Error on kern.log:

Jul  1 20:20:12 auth kernel: [  875.743303] audit: type=1400
audit(1625160012.372:1191): apparmor="DENIED" operation="file_lock"
profile="/usr/sbin/slapd" name="/var/tmp/krb5_130.rcache2" pid=1559
comm="slapd" requested_mask="k" denied_mask="k" fsuid=130 ouid=130

This kerberos profile is most likely needed for connectivity to open-
ldap server due the fact that GSSAPI is used.

A quick fix is to add:
/var/tmp/krb5* rk,

into:
/etc/apparmor.d/local/usr.sbin.slapd

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: gssapi kerberos5 slapd

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1934390

Title:
  Apparmor prevents locking of /var/tmp/krb5* file for slapd

Status in apparmor package in Ubuntu:
  New

Bug description:
  Kerbeross5 with LDAP backed and GSSAPI connectivity fails due the
  Apparmor profile for slapd that doesn't include possibility to give
  read and lock rights to slapd process.

  Error on kern.log:

  Jul  1 20:20:12 auth kernel: [  875.743303] audit: type=1400
  audit(1625160012.372:1191): apparmor="DENIED" operation="file_lock"
  profile="/usr/sbin/slapd" name="/var/tmp/krb5_130.rcache2" pid=1559
  comm="slapd" requested_mask="k" denied_mask="k" fsuid=130 ouid=130

  This kerberos profile is most likely needed for connectivity to open-
  ldap server due the fact that GSSAPI is used.

  A quick fix is to add:
  /var/tmp/krb5* rk,

  into:
  /etc/apparmor.d/local/usr.sbin.slapd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1934390/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to