Public bug reported: Because /var/log/syslog gets bloated with sssd apparmor related messages, I put the following in /etc/apparmor.d/local/usr.sbin.sssd then I changed sssd from 'complain' to 'enforcing' mode. I put this on a heavy sssd vm running freeipa server that also is running the gui with mate. I can't promise I found all the cases, but I don't see any 'apparmor' messages in the logs on the freeipa servers after a couple days.
signal (send) peer="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pac", /usr/sbin/sssd ixr, /usr/libexec/sssd/sssd_be ixr, /etc/krb5.conf.d/** r, /etc/krb5.conf.d/ r, /etc/krb5.conf.d r, /etc/sssd r, /etc/sssd/ r, /etc/sssd/** r, /usr/share/sssd r, /usr/share/sssd/ r, /usr/share/sssd/** r, /usr/libexec/sssd/sssd_pac ixr, /etc/gss/mech.d/ r, /etc/gss/mech.d/** r, /usr/libexec/sssd/ldap_child ixr, dbus send bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers", There are thousands of varied examples you'll see in the logs, generally along the lines of Jun 23 06:41:55 registry2 kernel: [56263.674613] audit: type=1400 audit(1592912515.202:2329356): apparmor="DENIED" operation="signal" profile="/usr/sbin/sssd" pid=1058 comm="sssd" requested_mask="send" denied_mask="send" signal=term peer="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pac I'm not a 'deep interest' apparmor dev, no doubt the above list could be improved. HTH Harry ** Affects: sssd (Ubuntu) Importance: Undecided Status: New ** Tags: apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884980 Title: patch so apparmor complain->enforcing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1884980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs