<html><head></head><body>Hi, sorry for late reply,<br>I think it's not bug.<br>Because I removed systemd, either if I reinstall systemd, or I add some mount rules to apparmor , then the denied messages gone.<br>Thank you for help, thanks.<br><br><div class="gmail_quote">On 2018年10月26日 下午5:55:02 [GMT+08:00], intrigeri <intrigeri@debian.org> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">Control: tag -1 - upstream<br>Control: tag -1 + moreinfo<br><br>Hi,<br><br>kaka:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">Over the year, if I enable apparmor for lxc (lxc.aa_profile = lxc-container-default),<br></blockquote><br>First, I don't think you need to turn this on manually and I doubt<br>this is the best AppArmor profile to use. According to<br>lxc.container.conf(5):<br><br> APPARMOR PROFILE<br> If lxc was compiled and installed with apparmor support, and the host sys‐<br> tem has apparmor enabled, then the apparmor profile under which the con‐<br> tainer should be run can be specified in the container configuration. The<br> default is lxc-container-default-cgns if the host kernel is cgroup names‐<br> pace aware, or lxc-container-default othewise.<br><br>So not setting lxc.aa_profile at all should automatically select the<br>lxc-container-default-cgns profile. Not that it would make<br>a difference for this bug though.<br><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">I see a lot of "apparmor denied" messages like below,<br>But the lxc itself is can running and functional without a problem,<br>Why apparmor always complain lxc? (is this normal)?<br></blockquote><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/pstore/" pid=2676 comm="mount" fstype="pstore" srcname="pstore"<br>apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/pstore/" pid=2676 comm="mount" fstype="pstore" srcname="pstore" flags="ro"<br>apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=2763 comm="mount" flags="rw, remount"<br></blockquote><br>On current sid:<br><br> - I cannot reproduce this with the lxc-debian template, which is<br> expected since it has no lxc.mount.entry for /sys/fs/pstore<br><br> - I cannot reproduce this with the lxc-ubuntu template (which _has_<br> a lxc.mount.entry for /sys/fs/pstore) either:<br><br> # lxc-create -n ubuntu -t /usr/share/lxc/templates/lxc-ubuntu<br> […]<br> # lxc-start -F -n ubuntu<br> […]<br> Ubuntu 16.04.5 LTS ubuntu console<br><br> ubuntu login: ubuntu<br> Password: <br> […]<br> $ ubuntu@ubuntu:~$ mount | grep pstore<br> pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)<br><br> And there's no single AppArmor denial in the host system's logs.<br> aa-status confirms that this container is running under the<br> lxc-container-default-cgns profile.<br><br>So, can you still reproduce this on current testing/sid?<br>If yes, can you please share a simple reproducer similar to the one<br>I've tried to provide above?<br><br>Cheers,</pre></blockquote></div><br><br>Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC<br></body></html>