[Touch-packages] [Bug 1751402] [NEW] abstraction/nameservice should include allow access to /var/lib/sss/mc/initgroups

Fri, 23 Feb 2018 18:31:04 -0800 

Public bug reported:

From
https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/comments/4:

[2794367.925181] apparmor="DENIED" operation="open"
profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111
comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The unbound AA profile includes abstractions/nameservice which already
has some rules for files under /var/lib/sss/mc. I think that adding
"/var/lib/sss/mc/initgroups r" to abstractions/nameservice would make
sense:

$ diff -Naur abstractions/nameservice.orig abstractions/nameservice
--- abstractions/nameservice.orig       2018-02-24 02:19:24.310884300 +0000
+++ abstractions/nameservice    2018-02-24 02:20:10.578785312 +0000
@@ -30,6 +30,7 @@
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
   /var/lib/sss/mc/passwd  r,
+  /var/lib/sss/mc/initgroups r,
   /var/lib/sss/pipes/nss  rw,
 
   /etc/resolv.conf        r,

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1751402

Title:
  abstraction/nameservice should include allow access to
  /var/lib/sss/mc/initgroups

Status in apparmor package in Ubuntu:
  New

Bug description:
  From
  https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/comments/4:

  [2794367.925181] apparmor="DENIED" operation="open"
  profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111
  comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  The unbound AA profile includes abstractions/nameservice which already
  has some rules for files under /var/lib/sss/mc. I think that adding
  "/var/lib/sss/mc/initgroups r" to abstractions/nameservice would make
  sense:

  $ diff -Naur abstractions/nameservice.orig abstractions/nameservice
  --- abstractions/nameservice.orig     2018-02-24 02:19:24.310884300 +0000
  +++ abstractions/nameservice  2018-02-24 02:20:10.578785312 +0000
  @@ -30,6 +30,7 @@
     # and the nss plugin also needs to talk to a pipe
     /var/lib/sss/mc/group   r,
     /var/lib/sss/mc/passwd  r,
  +  /var/lib/sss/mc/initgroups r,
     /var/lib/sss/pipes/nss  rw,
   
     /etc/resolv.conf        r,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1751402/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to