[pkg-apparmor] Bug#880502: lxc: cannot start container with kernel 4.13.10
Evgeni Golov
evgeni at debian.org
Thu Nov 2 19:09:21 UTC 2017
Hi,
On Thu, Nov 02, 2017 at 07:09:10PM +0100, Christian Boltz wrote:
> seeing the AppArmor denials would be helpful to get this fixed ;-)
I think the issue is different.
Looking at the LXC log, we see the following:
lxc-start 20171102130036.516 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:234 - No such file or directory - failed to change apparmor profile to lxc-container-default-cgns
And indeed, we see no profiles:
# aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
I think the issue is that when LXC is installed *before* AppArmor is
enabled, the postinst snippet generated by dh_apparmor [1] is not
registering any profiles. And now that AppArmor is enabled, the profile
is missing and cannot be applied.
This is just a theory, I did not have time to actually reproduce and try
it.
Evgeni
[1]
# Automatically added by dh_apparmor/2.11.1-2
aa_is_enabled() {
if command aa-enabled >/dev/null 2>&1; then
# apparmor >= 2.10.95-2
aa-enabled --quiet 2>/dev/null
else
# apparmor << 2.10.95-2
# (This should be removed once Debian Stretch and Ubuntu 18.04 are out.)
rc=0
aa-status --enabled 2>/dev/null || rc=$?
[ "$rc" = 0 ] || [ "$rc" = 2 ]
fi
}
if [ "$1" = "configure" ]; then
APP_PROFILE="/etc/apparmor.d/usr.bin.lxc-start"
if [ -f "$APP_PROFILE" ]; then
# Add the local/ include
LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.bin.lxc-start"
test -e "$LOCAL_APP_PROFILE" || {
tmp=`mktemp`
cat <<EOM > "$tmp"
# Site-specific additions and overrides for usr.bin.lxc-start.
# For more details, please see /etc/apparmor.d/local/README.
EOM
mkdir `dirname "$LOCAL_APP_PROFILE"` 2>/dev/null || true
mv -f "$tmp" "$LOCAL_APP_PROFILE"
chmod 644 "$LOCAL_APP_PROFILE"
}
# Reload the profile, including any abstraction updates
if aa_is_enabled; then
apparmor_parser -r -T -W "$APP_PROFILE" || true
fi
fi
fi
# End automatically added section
More information about the pkg-apparmor-team
mailing list