Cannot permit some operations for sssd

Which AppArmor version are you using? (We had some fixes around the "unknown mode", however your error message indicates that rmask could be empty, which would be something new.)

For the crash, please try to find out which log line causes this, and paste or attach it. (Hint: split the log into 2 files, check which one causes the crash, split that again, ...)

Bonus points if you checkout the latest AppArmor from bzr and test if it also crashes (cd $checkout_dir/utils && python3 aa-logprof). If it also crashes, please also attach the bugreport file it creates.

The version is, as provided in the initial message,

apparmor version 2.8.95~2430-0ubuntu5.3

Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0

I was able to make this all work by creating profile for /usr/bin/nsupdate and adding rule /usr/bin/nsupdate rmpx

I'll try to see if testing latest AppArmor is doable.

Sorry, I overlooked the version in the initial report.

Thanks for the log line!
The empty denied_mask is a) strange and b) basically what I expected based on the error message.

I can reproduce the crash with the latest code and all maintained branches, so you don't need to test yourself ;-)

Patch sent to the mailinglist for review - https://lists.ubuntu.com/archives/apparmor/2015-December/008922.html

I'm quite sure the Ubuntu package is too old to apply just this patch, so you might want to get the latest code from the bzr 2.9 branch and apply it there.

Patch commited to bzr (trunk, 2.10 and 2.9 branch)

I think I'm happy that it's been fixed. I was able to figure out the "root cause" for the troubles, so I don't need aa-genprof and aa-logprof at all for this. It is bit bad though that there is no tool that would just show you the rules it would generate instead of updating profile directory.

You can use aa-logprof and, before saving the changes, use "(v)iew Changes" or "View Changes b/w (C)lean profiles" to see the added rules and also the removed rules that are obsoleted by added rules. Afterwards, abort instead of changing the profiles ;-)

That said - maybe your idea of a tool that translates a log to a list of missing rules isn't that bad. Let me think about it for a while ;-)

This bug was fixed in the package apparmor - 2.10.95-0ubuntu1

---------------
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium

  * Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
    - Allow Apache prefork profile to chown(2) files (LP: #1210514)
    - Allow deluge-gtk and deluge-console to handle torrents opened in
      browsers (LP: #1501913)
    - Allow file accesses needed by some programs using libnl-3-200
      (Closes: #810888)
    - Allow file accesses needed on systems that use NetworkManager without
      resolvconf (Closes: #813835)
    - Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
    - Fix aa-logprof(8) crash when operating on files containing multiple
      profiles with certain rules (LP: #1528139)
    - Fix log parsing crashes, in the Python utilities, caused by certain file
      related events (LP: #1525119, LP: #1540562)
    - Fix log parsing crasher, in the Python utilities, caused by certain
      change_hat events (LP: #1523297)
    - Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
      when Python 3 is not available (LP: #1513880)
    - Send aa-easyprof(8) error messages to stderr instead of stdout
      (LP: #1521400)
    - Fix aa-autodep(8) failure when the shebang line of a script contained
      parameters (LP: #1505775)
    - Don't depend on the system logprof.conf when running utils/ build tests
      (LP: #1393979)
    - Fix apparmor_parser(8) bugs when parsing profiles that use policy
      namespaces in the profile declaration or profile transition targets
      (LP: #1540666, LP: #1544387)
    - Regression fix for apparmor_parser(8) bug that resulted in the
      --namespace-string commandline option being ignored causing profiles to
      be loaded into the root policy namespace (LP: #1526085)
    - Fix crasher regression in apparmor_parser(8) when the parser was asked
      to process a directory (LP: #1534405)
    - Fix bug in apparmor_parser(8) to honor the specified bind flags remount
      rules (LP: #1272028)
    - Support tarball generation for Coverity scans and fix a number of issues
      discovered by Coverity
    - Fix regression test failures on s390x systems (LP: #1531325)
    - Adjust expected errno values in changeprofile regression test
      (LP: #1559705)
    - The Python utils gained support for ptrace and signal rules
    - aa-exec(8) received a rewrite in C
    - apparmor_parser(8) gained support for stacking multiple profiles, as
      supported by the Xenial kernel (LP: #1379535)
    - libapparmor gained new public interfaces, aa_stack_profile(2) and
      aa_stack_onexec(2), allowing applications to utilize the new kernel
      stacking support (LP: #1379535)
  * Drop the following patches since they've been incorporated upstream:
    - aa-status-dont_require_python3-apparmor.patch
    - r3209-dnsmasq-allow-dash
    - r3227-locale-indep-capabilities-sorting.patch
    - r3277-update-python-abstraction.patch
    - r3366-networkd.patch,
    - tests-fix_sysctl_test.patch
    - parser-fix-cache-file-mtime-regression.patch
    - parser-verify-cache-file-mtime.patch
    - parser-run-caching-tests-without-apparmorfs.patch
    - pa...