apparmor=“DENIED” operation=“open” profile=“snap.maas.supervisor”

zephrant · 17 September 2021 20:32

I’m getting these error in syslog, on both the rack and region/rack controllers.

kernel: [ 2130.188062] audit: type=1400 audit(1631910625.692:409): apparmor=“DENIED” operation=“open” profile=“snap.maas.supervisor” name="/etc/gss/mech.d/" pid=9417 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

My searches haven’t helped me find a solution yet, I’m pretty new to app armor.
It logs every 10s or so, so fills the log file with junk.

Any ideas on what is going on, and how to get rid of the errors?

alexsander-souza · 17 September 2021 23:42

Your system must have the SASL GSSAPI plugin installed, so MAAS is accessing these files when it needs to discover user group membership. The AppArmor profile for MAAS (/var/lib/snapd/apparmor/profiles/snap.maas.supervisor) doesn’t allow that.

Please Report a Bug with this log and the installed packages list.

A stop gap is to edit the profile to allow the access, adding the following lines:

# required for sasl GSSAPI plugin
/etc/gss/mech.d/ r,
/etc/gss/mech.d/* r,

snapd will rewrite this file eventually, so this is no solution.

system · 30 September 2021 06:07

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.