https://bgstack15.ddns.net/blog/enContents © 2022 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Sun, 27 Feb 2022 04:05:15 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rsshttps://bgstack15.ddns.net/blog/posts/2020/12/03/disable-apparmor-for-sssd/bgstack15<h2>tl;dr</h2> <h3>Turn it off</h3> <pre class="code literal-block"><span></span><code>sudo ln -sf /etc/apparmor.d/usr.sbin.sssd /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.sssd </code></pre> <h3>Turn it back on</h3> <pre class="code literal-block"><span></span><code><span class="nv">sudo</span> <span class="k">unlink</span> <span class="o">/</span><span class="nv">etc</span><span class="o">/</span><span class="nv">apparmor</span>.<span class="nv">d</span><span class="o">/</span><span class="nv">disable</span><span class="o">/</span><span class="nv">usr</span>.<span class="nv">sbin</span>.<span class="nv">sssd</span> <span class="nv">sudo</span> <span class="nv">apparmor_parser</span> <span class="o">-</span><span class="nv">r</span> <span class="o">/</span><span class="nv">etc</span><span class="o">/</span><span class="nv">apparmor</span>.<span class="nv">d</span><span class="o">/</span><span class="nv">usr</span>.<span class="nv">sbin</span>.<span class="nv">sssd</span> <span class="nv">sudo</span> <span class="nv">aa</span><span class="o">-</span><span class="nv">status</span> # <span class="nv">to</span> <span class="nv">verify</span> <span class="nv">visually</span> </code></pre> <h2>The story</h2> <p>I use FreeIPA on Devuan GNU+Linux. It's only marginally supported in Debian, and even less so in Devuan. The sssd component, which is used to get entries in the passwd and group databases, tends to fill up /var/log/messages with way too many apparmor notices.</p> <pre class="code literal-block"><span></span><code>Nov 29 15:56:27 ws005 kernel: [2158971.927938] audit: type=1400 audit(1606683387.308:34490156): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss" name="/etc/host.conf" pid=16466 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 29 15:56:27 ws005 kernel: [2158971.928030] audit: type=1400 audit(1606683387.308:34490157): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss" name="/etc/resolv.conf" pid=16466 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 29 15:56:27 ws005 kernel: [2158971.928226] audit: type=1400 audit(1606683387.308:34490158): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be" name="/etc/resolv.conf" pid=16465 comm="sssd_be" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 29 15:56:27 ws005 kernel: [2158971.928230] audit: type=1400 audit(1606683387.308:34490159): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be" name="/dev/urandom" pid=16465 comm="sssd_be" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 29 15:56:27 ws005 kernel: [2158971.928233] audit: type=1400 audit(1606683387.308:34490160): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_sudo" name="/etc/host.conf" pid=16467 comm="sssd_sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 </code></pre> <p>I miss SELinux.</p> <h2>References</h2> <p>Adapted directly from <a href="https://www.cyberciti.biz/faq/ubuntu-linux-howto-disable-apparmor-commands/">Ubuntu Linux: Disable Apparmor For Specific Profile / Service Such As Mysqld Server - nixCraft</a></p>apparmordevuanlogsssdhttps://bgstack15.ddns.net/blog/posts/2020/12/03/disable-apparmor-for-sssd/Thu, 03 Dec 2020 13:39:28 GMT