Hi Phillip, I asked Zyga and he kindly explained to me that
/etc/apparmor.d/ is the wrong place to look into.
Rather, we can use
snap debug execution apparmor
to find out that it really is using
apparmor-parser: /snap/snapd/26865/usr/lib/snapd/apparmor_parser
apparmor-parser-command: /snap/snapd/26865/usr/lib/snapd/apparmor_parser
--config-file /snap/snapd/26865/usr/lib/snapd/apparmor/parser.conf --base
/snap/snapd/26865/usr/lib/snapd/apparmor.d --policy-features
/snap/snapd/26865/usr/lib/snapd/apparmor.d/abi/4.0
And we can see that the allowance landed there:
--->
% grep sss
/snap/snapd/26865/usr/lib/snapd/apparmor.d/abstractions/kerberosclient
/var/lib/sss/pubconf/krb5.include.d/ r,
/var/lib/sss/pubconf/krb5.include.d/* r,
<---
So Apparmor blocking access to the file is not the issue; Indeed, there
is not Apparmor denial logged.
The problem turns out to actually be simply and bluntly: /var/lib/sss is
not mounted. Actually very little stuff under /var is mounted if you
check the mountinfo of the running process.
I'm going to investigate what to do about this, mainly it's feasible to
just stop shipping that file as the directory seems to be empty most of
the cases.
** Changed in: chromium-browser (Ubuntu)
Status: Fix Released => Confirmed
** Changed in: firefox (Ubuntu)
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2122317
Title:
Unreadable includedir /var/lib/sss/pubconf/krb5.include.d/ causes
Kerberos authentication failure
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122317/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
