[pkg-apparmor] Bug#1050256: autopkgtest fails on debci

Christian Boltz debian-bugs at cboltz.de
Thu Aug 31 18:54:39 BST 2023


Hello,

Am Donnerstag, 31. August 2023, 08:41:59 CEST schrieb Michael Biebl:
> What we found so far is, that the AppArmor policy of lxc breaks any 
> systemd service using PrivateNetwork=yes or PrivateIPC=yes when being
>  run under lxc (running under bookworm using the bookworm kernel). 
> I wonder what the best course of action is here.
> Should we disable the AA policy of lxc via a stable upload of the lxc
>  package until the root cause is found?
> 
> Unfortunately I know too little about AppArmor and lxc's AppArmor
> policy  and my attempts to ask around for help weren't successful so
> far. 

Two quick hints, but let me warn you that I'm not familiar with lxc and 
also didn't check the content of the lxc-autopkgtest-lxc-iomhit_* 
profile.

https://github.com/lxc/lxc/issues/4333 indicates that this issue was 
fixed in (much) a newer kernel - but that's probably not news to you 
since you wrote that comment ;-)


That said - the DENIED log entry translates to

    unix send type=dgram,

You could try if adding this rule to the lxc-autopkgtest-lxc-iomhit_* 
profile helps - but if the issue is really on the kernel side, my hope is 
limited).

For testing, you could also try with a more broad
    unix send,
or even
    unix,
rule - but please don't add these broader rules to the production 
profile.


Regards,

Christian Boltz
-- 
you need a certificate, nobody knows how to do that securely (including
the CAs ;-) [Bernd Paysan, https://bugs.kde.org/show_bug.cgi?id=131083]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20230831/f30a889f/attachment-0001.sig>


More information about the pkg-apparmor-team mailing list