> Jun 23 04:02:18 jammy kernel: [ 5192.259462] audit: type=1400 audit(1750651338.792:71): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=1780 comm="krb5_child" capability=12 capname="net_admin"
I understand that there is a need to address this in stable releases, but perhaps we should take the opportunity to also consider modernizing this apparmor profile. For example, we could have subprofiles for all the helpers that sssd uses, krb5_child being one of them. Perhaps net_admin is only needed by krb5_child, for example. Here is what I'll do. I'll run the existing autopkgtests in a VM, in questing, without your patch, and capture the apparmor logs (with the profile in complain mode). The autopkgtests include some smart card tests, albeit they use softhsm2 and not the real thing, but it's a start. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2109673 Title: Authentication with smartcard is not working with apparmor DENIED To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2109673/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
