![]() usr/lib/snapd/snap-confine//mount-namespace-capture-helper usr/lib/NetworkManager/nm-dhcp-client.action snap/snapd/10707/usr/lib/snapd/snap-confine//mount-namespace-capture-helper snap/snapd/10707/usr/lib/snapd/snap-confine I confirmed by returning sssd to 'enforce' mode (aa-enforce /usr/sbin/sssd). usr/ libexec/ sssd/sssd_ ssh (1484) /usr/sbin/sssdĠ processes are unconfined but have a profile defined.Īpplying the fix above to /etc/apparmor.d/local/ and running the parser replace fixed the sssd startup issue. usr/ libexec/ sssd/sssd_ pam (1481) /usr/sbin/sssd usr/ libexec/ sssd/sssd_ nss (1480) /usr/sbin/sssd usr/ libexec/ sssd/sssd_ be (1279) /usr/sbin/sssd usr/ lib/snapd/ snap-confine/ /mount- namespace- capture- helper usr/ lib/connman/ scripts/ dhclient- script usr/ lib/NetworkMana ger/nm- dhcp-helper usr/ lib/NetworkMana ger/nm- dhcp-client. snap/ snapd/10707/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper snap/ snapd/10707/ usr/lib/ snapd/snap- confine The 'apparmor_status' output now shows the /usr/libexec/sssd binaries as well: sssd and running the parser replace fixed the sssd startup issue. krb5info_ dummy_r07RxkĪpplying the fix above to /etc/apparmor. Profile: /usr/sbin/ sssd//null- /usr/libexec/ sssd/sssd_ be ![]() Profile: /usr/sbin/ sssd//null- /usr/libexec/ sssd/sssd_ nss Also, no service should be denied read on /etc/hosts (second entry below)? What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. The following notifications are sample of those observed. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance. We're seeing this in Azure only at this time. Setting the profile to 'complain' mode allows sssd to start. The OS is Ubuntu 20.04.Īpparmor-notify shows various denied entries. ![]() Sssd fails to start when its apparmor profile is in enforcing mode. * If the user does not have apparmor enabled, then nothing will change. * If the user already has apparmor enabled for sssd, she will most likely have addressed these issues by herself, which means that this change will just be a duplicate of what is already on the system. Very little regression potential, since we are expanding the apparmor permissions of sssd, and not reducing them. The instructions above can be replicated to test things on Groovy and Hirsute. See "systemctl status rvice" and "journalctl -xe" for details. Job for rvice failed because the control process exited with error code. # apt update & apt install apparmor-utils sssd -y $ lxc launch image:ubuntu/focal sssd- bug1910611-focal -vm ![]() In this scenario, apparmor will prevent sssd from being able to execute programs under the /usr/libexec/sssd/* path, which will cause the sssd service to fail to start.Īside from the deny mentioned above, the sssd apparmor profile also needs to be updated to reflect the fact that sssd will also need to have read access to files under the /etc/sssd/conf.d/* and /etc/gss/mech.d/* directories. Sssd users on Focal, Groovy and Hirsute can experience problems when setting sssd's apparmor profile to "Enforce" mode. ![]()
0 Comments
Leave a Reply. |