[Bug 1689387] [NEW] SSSD Prevented from Notifying Systemd on Startup by Apparmor

Launchpad Bug Tracker 1689387 at bugs.launchpad.net
Wed Jun 21 19:24:51 UTC 2017 

You have been subscribed to a public bug by Andreas Hasenack (ahasenack):

Release Details:
Description:    Ubuntu 16.04.2 LTS
Release:        16.04

Package version: sssd-common 1.13.4-1ubuntu1.5

================================================================================

Expected: Upon updating sssd-common on 16.04, the sssd service is successfully restarted via:
        systemctl --system daemon-reload >/dev/null || true
        deb-systemd-invoke start sssd.service >/dev/null || true


Observed: The postinst script for sssd-common fails when the systemd service reports a "timeout":
"Job for sssd.service failed because a timeout was exceeded. See "systemctl status sssd.service" and "journalctl -xe" for details."
================================================================================


On 16.04, sssd attempts to notify systemd on startup (via a call to
sd_notify). Apparmor prevents this.

Relevant debug log messages from sssd:

(Mon May  8 18:36:29 2017) [sssd] [mark_service_as_started] (0x0400): Sending startup notification to systemd
(Mon May  8 18:36:29 2017) [sssd] [mark_service_as_started] (0x0020): Error sending notification to systemd 13: Permission denied


Corresponding apparmor complaint entries:

kernel: [425822.018708] audit: type=1400 audit(1494268589.535:226):
apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/sssd"
name="/run/systemd/notify" pid=22917 comm="sssd" requested_mask="w"
denied_mask="w" fsuid=0 0

Adding the following entry to the loaded apparmor profiles sees the
issue resolved:

/{,var/}run/systemd/notify w,

This may ultimately be an issue with the packaged apparmor profiles for
16.04, but we first saw it manifest upon upgrading sssd-common to
1.13.4-1ubuntu1.5

** Affects: sssd (Ubuntu)
     Importance: Low
     Assignee: Andreas Hasenack (ahasenack)
         Status: In Progress


** Tags: bitesize server-next
-- 
SSSD Prevented from Notifying Systemd on Startup by Apparmor 
https://bugs.launchpad.net/bugs/1689387
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list