[pkg-apparmor] Bug#847370: Recent apparmor broke "virsh lxc-enter"
Guido Günther
agx at sigxcpu.org
Mon Dec 19 07:23:48 UTC 2016
control: reassign -1 libvirt-daemon-system
control: tags -1 +pending
On Sun, Dec 18, 2016 at 09:48:13PM +0100, intrigeri wrote:
> Control: tag -1 + moreinfo
>
> Hi,
>
> Guido Günther:
> > Yes, I think so. The machine is running 4.8.0 now and I think it was
> > 4.2.0 before. Unfortunately it's quiet some time since I ran the tests
> > last time (2016-11-15 IIRC) and the box was not up to date at that date.
>
> OK. It might be that the kernel component of AppArmor changed wrt.
> how it handles namespaces in between, but really I've no idea.
>
> >> What's the last working version of AppArmor (userspace)?
>
> > I _think_ it's 2.10.95-4 but I'm not sure.
>
> OK.
>
> > As I wrote this is mostly a placeholder to gather the necessary
> > information, I will have to put more time into sorting out what
> > _exactly_ triggered it but not having seen this type of DENIED before I
> > thought I'd file a bug to check with you guys if you know this kind of
> > problem already.
>
> Cool, good idea!
>
> Well, info="Failed name lookup - disconnected path" does ring a bell.
> It might be that the libvirtd profile needs the attach_disconnected
> flag (there are plenty of examples that do in my /etc/apparmor.d).
> Can you please try and report back?
That worked, reassigning to libvirt. Thanks a lot!
That said this is a behaviour change in apparmor / kernel that breaks
existing profiles. Do we have any means to deal with such things?
Cheers,
-- Guido
More information about the pkg-apparmor-team
mailing list