SSSD with LDAP makes apparmor very noisy in syslog

apparmor sssd

When loging in with SSSD configured against LDAP, syslog becomes very noisy with apparmor messages. This is somewhat annoying when scanning the logs for valuable information.

Maybe someone already solved this and can make life easier sharing their solution.

Thanks.


Solution 1:

I am also getting several messages in dmesg related to sssd, after recently configuring domain membership.

Even though the messages were related to installing/configuring sssd, I am pretty sure the messages were actually from apparmor, since I tried adjusting debug_level in /etc/sssd/sssd.conf, which only had an effect on /var/log/sssd/sssd.conf and systemctl status sssd.service

Example:

# journalctl --reverse | grep sssd

. . . 
Jan 27 13:50:04 chubbychipmunk.webtool.space audit[39674]: 
AVC apparmor="ALLOWED" operation="open" 
profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be//null-/usr/bin/nsupdate"
name="/usr/lib/x86_64-linux-gnu/libirs.so.1601.0.0" 
pid=39674 
comm="nsupdate" 
requested_mask="r" 
denied_mask="r" 
fsuid=0 ouid=0
. . .

I am no apparmor expert, but through this process I learned of some utilities that appear to have helped dmesg be less noisy.

First, I installed apparmor-utils, which has the aa-logprof utility:

From aa-logprof(8):

Running aa-logprof will scan the log file and if there are new AppArmor events that are not covered by the existing profile set, the user will be prompted with suggested modifications to augment the profile.

% sudo apt install -y apparmor-utils

Then, I ran aa-logprof as root and got something like this:

% sudo aa-logprof

Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/audit/audit.log.

WARNING: Ignoring exec event in /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be, nested profiles are not supported yet.

Profile:  /usr/sbin/sssd
Execute:  /usr/libexec/sssd/ldap_child
Severity: unknown

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish

I used (I)nherit here to use the same profile as sssd. Then I got something like this:

Complain-mode changes:
Enforce-mode changes:

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /usr/sbin/sssd]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t

I hit s to save the profile, and exit, which should give you something like this:

Writing updated profile for /usr/sbin/sssd.

The first time I updated the profile, there were several processes that were not in the sssd profile yet. I basically just hit (A)llow for all of them since, in my case, all the processes apparmor was complaining about were related to sssd.

After a while to check and see if it worked, I ran:

% sudo dmesg -T | tail -n 100

And saw that the last apparmor message I had related to sssd was over two hours ago.

Solution 2:

I was able to disable it by running:

sudo ln -s /etc/apparmor.d/usr.sbin.sssd /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.sssd

Source: https://bgstack15.wordpress.com/2020/12/03/disable-apparmor-for-sssd/

Related

Cannot access Apache start page via "localhost" in web browser
HP Tilt pen support in Ubuntu 18.04
Create backup from /etc/apt/source.list
terminal bash loses HOME path
How to update LibreOffice in Ubuntu 20.04?
Change shortcut to switch tab in gnome-terminal
How can I resolve this Anaconda launch problem?
system slow after hibernation, it seems like files dont transfer back to RAM
Ubuntu boots into emergency mode. ^D and other recovery options fail. How can I fix it?
Adding to PATH for programs opened from the desktop
Make cursor visible after startup without moving the mouse
Courier-imap with sendmail setup: why is my IMAP inbox empty?