Public bug reported:


[2794367.925181] apparmor="DENIED" operation="open"
profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111
comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The unbound AA profile includes abstractions/nameservice which already
has some rules for files under /var/lib/sss/mc. I think that adding
"/var/lib/sss/mc/initgroups r" to abstractions/nameservice would make

$ diff -Naur abstractions/nameservice.orig abstractions/nameservice
--- abstractions/nameservice.orig       2018-02-24 02:19:24.310884300 +0000
+++ abstractions/nameservice    2018-02-24 02:20:10.578785312 +0000
@@ -30,6 +30,7 @@
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
   /var/lib/sss/mc/passwd  r,
+  /var/lib/sss/mc/initgroups r,
   /var/lib/sss/pipes/nss  rw,
   /etc/resolv.conf        r,

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  abstraction/nameservice should include allow access to

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to