Public bug reported:
When starting sssd, we can see warning in the logs when apparmor is in
complain mode:
Jun 21 18:36:52 15-89 kernel: [ 1641.660315] audit: type=1400
audit(1498070212.069:72): apparmor="ALLOWED" operation="capable"
profile="/usr/sbin/sssd" pid=26257 comm="sssd" capability=0
capname="chown"
In enforce mode sssd fails to start:
# service sssd start
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
/var/log/syslog:
Jun 21 18:37:31 15-89 systemd[1]: Starting System Security Services Daemon...
Jun 21 18:37:31 15-89 kernel: [ 1681.480758] audit: type=1400
audit(1498070251.885:74): apparmor="DENIED" operation="capable"
profile="/usr/sbin/sssd" pid=26919 comm="sssd" capability=0 capname="chown"
Jun 21 18:37:31 15-89 sssd: Cannot read config file /etc/sssd/sssd.conf. Please
check that the file is accessible only by the owner and owned by root.root.
Jun 21 18:37:31 15-89 systemd[1]: sssd.service: Main process exited,
code=exited, status=4/NOPERMISSION
Jun 21 18:37:31 15-89 systemd[1]: Failed to start System Security Services
Daemon.
Jun 21 18:37:31 15-89 systemd[1]: sssd.service: Unit entered failed state.
Jun 21 18:37:31 15-89 systemd[1]: sssd.service: Failed with result 'exit-code'.
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to sssd in Ubuntu.
https://bugs.launchpad.net/bugs/1699576
Title:
sssd's apparmor profile needs chown capability
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1699576/+subscriptions
--
Ubuntu-server-bugs mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
