[pkg-apparmor] Bug#905342: Bug#905342: apache fpm not working anymore

intrigeri intrigeri at debian.org
Sun Nov 11 18:13:39 GMT 2018 

Hi Ivan,

Ivan Sergio Borgonovo:
> As you said probably apparmor seems not to be the culprit.

> Nov 04 20:21:13 kerberos audit[1280]: AVC apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/" pid=1280 comm="systemd" fstype="cgroup2" srcname="cgroup2" flags="rw, nosuid, nodev, noexec"

This one looks like a bug in the LXC AppArmor profiles, please report
it against the lxc package.

And then I see a bunch of errors caused by the
lxc-container-default-cgns profile that seem to cause trouble for
dovecot, Apache and tor:

> Nov 04 20:21:17 kerberos audit[1591]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=1591 comm="(dovecot)" flags="rw, rslave"
> Nov 04 20:21:17 kerberos audit[1598]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=1598 comm="(pachectl)" flags="rw, rslave"
> Nov 04 20:21:17 kerberos audit[1611]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=1611 comm="(tor)" flags="rw, rslave"
> Nov 04 20:21:17 kerberos kernel: audit: type=1400 audit(1541359277.987:59): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=1611 comm="(tor)" flags="rw, rslave"
> Nov 04 20:24:55 kerberos kernel: audit: type=1400 audit(1541359495.750:60): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=1881 comm="(tor)" flags="rw, rslave"
> Nov 04 20:24:55 kerberos kernel: audit: type=1400 audit(1541359495.750:61): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="lxc-container-default-cgns" name="system_tor" pid=1881 comm="(tor)"

Now this gets interesting:

> 96 processes are in enforce mode.
> […]
>    /usr/bin/tor (1881) lxc-container-default-cgns
>    /usr/lib/dovecot/anvil (1884) lxc-container-default-cgns
>    /usr/lib/dovecot/log (1885) lxc-container-default-cgns

… and many more processes confined under the
lxc-container-default-cgns profile.

Are you actually running dovecot, tor, postgres, sshd, smdb, Postfix,
dhclient etc. in LXC containers? Or is the lxc-container-default-cgns
profile somehow erroneously applied to these processes?

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list