[Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files

Andreas Hasenack andreas at canonical.com
Tue Oct 23 17:07:53 UTC 2018 

** Description changed:

+ [Impact]
+ 
+  * An explanation of the effects of the bug on users and
+ 
+  * justification for backporting the fix to the stable release.
+ 
+  * In addition, it is helpful, but not required, to include an
+    explanation of how the upload fixes this bug.
+ 
+ [Test Case]
+ 
+  * detailed instructions how to reproduce the bug
+ 
+  * these should allow someone who is not familiar with the affected
+    package to reproduce the bug and verify that the updated package fixes
+    the problem.
+ 
+ [Regression Potential]
+ 
+  * discussion of how regressions are most likely to manifest as a result
+ of this change.
+ 
+  * It is assumed that any SRU candidate patch is well-tested before
+    upload and has a low overall risk of regression, but it's important
+    to make the effort to think about what ''could'' happen in the
+    event of a regression.
+ 
+  * This both shows the SRU team that the risks have been considered,
+    and provides guidance to testers in regression-testing the SRU.
+ 
+ [Other Info]
+  
+  * Anything else you think is useful to include
+  * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
+  * and address these questions in advance
+ 
+ 
+ [Original Description]
+ 
  Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate
  permissions to the slapd apparmor profile? I'm getting the following
  kinds of errors:
  
  apparmor="DENIED" operation="open" profile="/usr/sbin/slapd"
  name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slapd"
  requested_mask="r" denied_mask="r" fsuid=389 ouid=389
  
  apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd"
  name="/tmp/krb5cc_389" pid=19080 comm="slapd" requested_mask="k"
  denied_mask="k" fsuid=389 ouid=389

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1783183

Title:
  apparmor profile denied for kerberos client keytab and credential
  cache files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions

More information about the Ubuntu-server-bugs mailing list