** Description changed: + [ Impact ] + + sssd users on Focal, Groovy and Hirsute can experience problems when + setting sssd's apparmor profile to "Enforce" mode. In this scenario, + apparmor will prevent sssd from being able to execute programs under the + /usr/libexec/sssd/* path, which will cause the sssd service to fail to + start. + + Aside from the deny mentioned above, the sssd apparmor profile also + needs to be updated to reflect the fact that sssd will also need to have + read access to files under the /etc/sssd/conf.d/* and /etc/gss/mech.d/* + directories. + + [ Test Case ] + + Using an LXD VM, one can: + + $ lxc launch image:ubuntu/focal sssd-bug1910611-focal --vm + $ lxc shell sssd-bug1910611-focal + # apt update && apt install apparmor-utils sssd -y + ... + # cat > /etc/sssd/sssd.conf << __EOF__ + [sssd] + config_file_version = 2 + domains = example.com + + [domain/example.com] + id_provider = ldap + auth_provider = ldap + ldap_uri = ldap://ldap01.example.com + cache_credentials = True + ldap_search_base = dc=example,dc=com + __EOF__ + # chmod 0600 /etc/sssd/sssd.conf + # aa-enforce sssd + Setting /usr/sbin/sssd to enforce mode. + # systemctl restart sssd.service + Job for sssd.service failed because the control process exited with error code. + See "systemctl status sssd.service" and "journalctl -xe" for details. + # dmesg | grep DENIED + ... + [ 2011.510479] audit: type=1400 audit(1611007899.726:370): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3255 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 + [ 2011.511822] audit: type=1400 audit(1611007899.726:371): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3256 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 + + The instructions above can be replicated to test things on Groovy and + Hirsute. + + [ Regression Potential ] + + Very little regression potential, since we are expanding the apparmor + permissions of sssd, and not reducing them. + + * If the user already has apparmor enabled for sssd, she will most + likely have addressed these issues by herself, which means that this + change will just be a duplicate of what is already on the system. + + * If the user does not have apparmor enabled, then nothing will change. + + [ Original Description ] + sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04. apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance. The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)? Sample apparmor-notif output here: Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss Operation: open Name: /proc/33363/cmdline Denied: r Logfile: /var/log/audit/audit.log (1498 found, most recent from 'Wed Dec 30 20:35:19 2020') Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: open Name: /etc/hosts Denied: r Logfile: /var/log/audit/audit.log (294 found, most recent from 'Thu Dec 31 02:55:41 2020') Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: mknod Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: c Logfile: /var/log/audit/audit.log Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: open Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: wrc Logfile: /var/log/audit/audit.log Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: chmod Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: w Logfile: /var/log/audit/audit.log
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
