sssd's apparmor profile needs chown capability

Bug #1699576 reported by Andreas Hasenack
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Low
Andreas Hasenack

Bug Description

When starting sssd, we can see warning in the logs when apparmor is in complain mode:

Jun 21 18:36:52 15-89 kernel: [ 1641.660315] audit: type=1400 audit(1498070212.069:72): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/sssd" pid=26257 comm="sssd" capability=0 capname="chown"

In enforce mode sssd fails to start:
# service sssd start
Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details.

/var/log/syslog:
Jun 21 18:37:31 15-89 systemd[1]: Starting System Security Services Daemon...
Jun 21 18:37:31 15-89 kernel: [ 1681.480758] audit: type=1400 audit(1498070251.885:74): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=26919 comm="sssd" capability=0 capname="chown"
Jun 21 18:37:31 15-89 sssd: Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the owner and owned by root.root.
Jun 21 18:37:31 15-89 systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Jun 21 18:37:31 15-89 systemd[1]: Failed to start System Security Services Daemon.
Jun 21 18:37:31 15-89 systemd[1]: sssd.service: Unit entered failed state.
Jun 21 18:37:31 15-89 systemd[1]: sssd.service: Failed with result 'exit-code'.

Changed in sssd (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: New → In Progress
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.15.2-1ubuntu2

---------------
sssd (1.15.2-1ubuntu2) artful; urgency=medium

  * d/apparmor-profile:
    - allow the chown capability (LP: #1699576)
    - allow sssd to notify systemd during startup (LP: #1689387)

 -- Andreas Hasenack <email address hidden> Wed, 21 Jun 2017 15:50:35 -0300

Changed in sssd (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.