Bug#972064: Problem with tomcat9 in Linux Container (LXC) and default AppArmor configuration (lxc.apparmor.profile = lxc-container-default-cgns)

Jan Michael Greiner jan0michael at yahoo.com
Mon Oct 12 12:14:27 BST 2020 

> This looks like an issue with the configuration of the LXC container, 
> could you check in the logs of the host why the permission was denied? 
> If the container isn't unprivileged this is maybe an issue with 
> AppArmor, adding this line to the container conf file might help:
>
>   lxc.apparmor.profile: unconfined
>
> Emmanuel Bourg

Hello Emmanuel,

thank you very much.
Yes,

   lxc.apparmor.profile = unconfined

in the container config file solved the problem (even /usr/libexec/tomcat9/tomcat-update-policy.sh is not a problem any more).


Extract from syslog on the lxc host:


Oct 12 12:33:17 nc17 kernel: [225722.636199] audit: type=1400 audit(1602498797.587:74): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3355 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.656621] audit: type=1400 audit(1602498797.607:75): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3359 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.689041] audit: type=1400 audit(1602498797.639:76): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3364 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.714377] audit: type=1400 audit(1602498797.667:77): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3367 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.735685] audit: type=1400 audit(1602498797.687:78): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3370 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.752513] audit: type=1400 audit(1602498797.703:79): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3374 comm="(olicy.sh)" flags="rw, rslave"


I am not yet familiar with AppArmor. I will do further research on this. If I am able to find a better solution than "unconfined" (maybe an AppArmor profile derived from lxc-container-default-cgns), I will post the results here.


Best regards,

Jan Michael Greiner

More information about the pkg-java-maintainers mailing list