This bug was fixed in the package apparmor - 2.10.95-0ubuntu1
---------------
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium
* Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
- Allow Apache prefork profile to chown(2) files (LP: #1210514)
- Allow deluge-gtk and deluge-console to handle torrents opened in
browsers (LP: #1501913)
- Allow file accesses needed by some programs using libnl-3-200
(Closes: #810888)
- Allow file accesses needed on systems that use NetworkManager without
resolvconf (Closes: #813835)
- Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
- Fix aa-logprof(8) crash when operating on files containing multiple
profiles with certain rules (LP: #1528139)
- Fix log parsing crashes, in the Python utilities, caused by certain file
related events (LP: #1525119, LP: #1540562)
- Fix log parsing crasher, in the Python utilities, caused by certain
change_hat events (LP: #1523297)
- Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
when Python 3 is not available (LP: #1513880)
- Send aa-easyprof(8) error messages to stderr instead of stdout
(LP: #1521400)
- Fix aa-autodep(8) failure when the shebang line of a script contained
parameters (LP: #1505775)
- Don't depend on the system logprof.conf when running utils/ build tests
(LP: #1393979)
- Fix apparmor_parser(8) bugs when parsing profiles that use policy
namespaces in the profile declaration or profile transition targets
(LP: #1540666, LP: #1544387)
- Regression fix for apparmor_parser(8) bug that resulted in the
--namespace-string commandline option being ignored causing profiles to
be loaded into the root policy namespace (LP: #1526085)
- Fix crasher regression in apparmor_parser(8) when the parser was asked
to process a directory (LP: #1534405)
- Fix bug in apparmor_parser(8) to honor the specified bind flags remount
rules (LP: #1272028)
- Support tarball generation for Coverity scans and fix a number of issues
discovered by Coverity
- Fix regression test failures on s390x systems (LP: #1531325)
- Adjust expected errno values in changeprofile regression test
(LP: #1559705)
- The Python utils gained support for ptrace and signal rules
- aa-exec(8) received a rewrite in C
- apparmor_parser(8) gained support for stacking multiple profiles, as
supported by the Xenial kernel (LP: #1379535)
- libapparmor gained new public interfaces, aa_stack_profile(2) and
aa_stack_onexec(2), allowing applications to utilize the new kernel
stacking support (LP: #1379535)
* Drop the following patches since they've been incorporated upstream:
- aa-status-dont_require_python3-apparmor.patch
- r3209-dnsmasq-allow-dash
- r3227-locale-indep-capabilities-sorting.patch
- r3277-update-python-abstraction.patch
- r3366-networkd.patch,
- tests-fix_sysctl_test.patch
- parser-fix-cache-file-mtime-regression.patch
- parser-verify-cache-file-mtime.patch
- parser-run-caching-tests-without-apparmorfs.patch
- parser-do-cleanup-when-test-was-skipped.patch
- parser-allow-unspec-in-network-rules.patch
* debian/rules, debian/apparmor.install, debian/apparmor.manpages: Update
for new upstream binutils directory and aa-enabled binary
- Continue installing aa-exec into /usr/sbin/ for now since
click-apparmor's aa-exec-click autopkgtest expects it to be there
* debian/libapparmor-dev.manpages: Include the new aa_stack_profile.2 man
page
* debian/patches/r3424-nscd-profile-allow-paranoia-mode.patch: Allow file
access needed for nscd's paranoia mode
* debian/patches/r3425-adjust-stacking-tests-version-check.patch: Adjust the
regression test build time checks, for libapparmor stacking support, to
look for the 2.10.95 versioning rather than 2.11
* debian/patches/r3426-allow-debugedit-to-work-on-apparmor-parser.patch:
Remove extra slash in the parser Makefile so that debugedit(8) can work on
apparmor_parser(8) (LP: #1561939)
* debian/patches/allow-stacking-tests-to-use-system.patch: Adjust the file
rules of the new stacking tests so that the generated profiles allow the
system binaries and libraries to be tested
* debian/libapparmor1.symbols: update symbols file for added symbols
in libapparmor
-- Tyler Hicks <tyhi...@canonical.com> Sat, 09 Apr 2016 01:35:25 -0500
** Changed in: apparmor (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525119
Title:
Cannot permit some operations for sssd
Status in AppArmor:
Fix Committed
Status in AppArmor 2.10 series:
Fix Committed
Status in AppArmor 2.9 series:
Fix Committed
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
I am trying to write apparmor profile to match my sssd usage,
unfortunately it seems I cannot tell sssd to permit things it needs.
apparmor version 2.8.95~2430-0ubuntu5.3
Description: Ubuntu 14.04.3 LTS
Release: 14.04
The complaints in log:
Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400
audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400
audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec"
profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x"
denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400
audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400
audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit"
profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112
comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400
audit(1449822247.549:21253): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400
audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr"
profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400
audit(1449822247.549:21255): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400
audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400
audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112
comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400
audit(1449822247.549:21258): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112
comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Current profile:
#include <tunables/global>
/usr/sbin/sssd {
#include <abstractions/base>
#include <abstractions/kerberosclient>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_nice,
@{PROC} r,
@{PROC}/[0-9]*/status r,
/etc/krb5.keytab k,
/etc/ldap/ldap.conf r,
/etc/localtime r,
/etc/shells r,
/etc/sssd/sssd.conf r,
/usr/sbin/sssd rmix,
/usr/lib/@{multiarch}/ldb/modules/ldb/* m,
/usr/lib/@{multiarch}/sssd/* rix,
/tmp/{,.}krb5cc_* rwk,
/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
/var/log/sssd/* rw,
/var/tmp/host_* rw,
/{,var/}run/sssd.pid rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.sssd>
}
# Site-specific additions and overrides for usr.sbin.sssd.
# For more details, please see /etc/apparmor.d/local/README.
capability sys_admin,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/psched r,
/etc/ld.so.cache r,
/etc/libnl-3/classid r,
/usr/sbin/sssd rmix,
/usr/sbin/sssd/** rmix,
/var/log/sssd/** lkrw,
/var/lib/sss/** lkrw,
/usr/lib/libdns.so.100.2.2 m,
/usr/lib/liblwres.so.90.0.7 m,
/usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m,
/usr/lib/x86_64-linux-gnu/samba/ldb/* m,
/var/lib/sss/** lkrw,
Also, running aa-genprof et al crashes:
Reading log entries from /var/log/syslog.
Traceback (most recent call last):
File "/usr/sbin/aa-genprof", line 155, in <module>
lp_ret = apparmor.do_logprof_pass(logmark, passno)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2280, in
do_logprof_pass
log = log_reader.read_log(logmark)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 353, in
read_log
self.add_event_to_tree(event)
File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 261, in
add_event_to_tree
raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown mode '
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1525119/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
