[Bug 1689387] [NEW] SSSD Prevented from Notifying Systemd on Startup by Apparmor

Mon, 08 May 2017 12:56:00 -0700 

Public bug reported:

Release Details:
Description:    Ubuntu 16.04.2 LTS
Release:        16.04

Package version: sssd-common 1.13.4-1ubuntu1.5

================================================================================

Expected: Upon updating sssd-common on 16.04, the sssd service is successfully 
restarted via:
        systemctl --system daemon-reload >/dev/null || true
        deb-systemd-invoke start sssd.service >/dev/null || true


Observed: The postinst script for sssd-common fails when the systemd service 
reports a "timeout":
"Job for sssd.service failed because a timeout was exceeded. See "systemctl 
status sssd.service" and "journalctl -xe" for details."
================================================================================


On 16.04, sssd attempts to notify systemd on startup (via a call to
sd_notify). Apparmor prevents this.

Relevant debug log messages from sssd:

(Mon May  8 18:36:29 2017) [sssd] [mark_service_as_started] (0x0400): Sending 
startup notification to systemd
(Mon May  8 18:36:29 2017) [sssd] [mark_service_as_started] (0x0020): Error 
sending notification to systemd 13: Permission denied


Corresponding apparmor complaint entries:

kernel: [425822.018708] audit: type=1400 audit(1494268589.535:226):
apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/sssd"
name="/run/systemd/notify" pid=22917 comm="sssd" requested_mask="w"
denied_mask="w" fsuid=0 0

Adding the following entry to the loaded apparmor profiles sees the
issue resolved:

/{,var/}run/systemd/notify w,

This may ultimately be an issue with the packaged apparmor profiles for
16.04, but we first saw it manifest upon upgrading sssd-common to
1.13.4-1ubuntu1.5

** Affects: sssd (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1689387

Title:
  SSSD Prevented from Notifying Systemd on Startup by Apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1689387/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to