Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Disable apparmor for sssd

tl;dr

Turn it off

sudo ln -sf /etc/apparmor.d/usr.sbin.sssd /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.sssd

Turn it back on

sudo unlink /etc/apparmor.d/disable/usr.sbin.sssd
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.sssd
sudo aa-status # to verify visually

The story

I use FreeIPA on Devuan GNU+Linux. It's only marginally supported in Debian, and even less so in Devuan. The sssd component, which is used to get entries in the passwd and group databases, tends to fill up /var/log/messages with way too many apparmor notices.

Nov 29 15:56:27 ws005 kernel: [2158971.927938] audit: type=1400 audit(1606683387.308:34490156): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss" name="/etc/host.conf" pid=16466 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 29 15:56:27 ws005 kernel: [2158971.928030] audit: type=1400 audit(1606683387.308:34490157): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss" name="/etc/resolv.conf" pid=16466 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 29 15:56:27 ws005 kernel: [2158971.928226] audit: type=1400 audit(1606683387.308:34490158): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be" name="/etc/resolv.conf" pid=16465 comm="sssd_be" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 29 15:56:27 ws005 kernel: [2158971.928230] audit: type=1400 audit(1606683387.308:34490159): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be" name="/dev/urandom" pid=16465 comm="sssd_be" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 29 15:56:27 ws005 kernel: [2158971.928233] audit: type=1400 audit(1606683387.308:34490160): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_sudo" name="/etc/host.conf" pid=16467 comm="sssd_sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I miss SELinux.

References

Adapted directly from Ubuntu Linux: Disable Apparmor For Specific Profile / Service Such As Mysqld Server - nixCraft

Comments