[pkg-apparmor] Bug#1050256: autopkgtest fails on debci
Christian Boltz
debian-bugs at cboltz.de
Thu Aug 31 18:54:39 BST 2023
Hello,
Am Donnerstag, 31. August 2023, 08:41:59 CEST schrieb Michael Biebl:
> What we found so far is, that the AppArmor policy of lxc breaks any
> systemd service using PrivateNetwork=yes or PrivateIPC=yes when being
> run under lxc (running under bookworm using the bookworm kernel).
> I wonder what the best course of action is here.
> Should we disable the AA policy of lxc via a stable upload of the lxc
> package until the root cause is found?
>
> Unfortunately I know too little about AppArmor and lxc's AppArmor
> policy and my attempts to ask around for help weren't successful so
> far.
Two quick hints, but let me warn you that I'm not familiar with lxc and
also didn't check the content of the lxc-autopkgtest-lxc-iomhit_*
profile.
https://github.com/lxc/lxc/issues/4333 indicates that this issue was
fixed in (much) a newer kernel - but that's probably not news to you
since you wrote that comment ;-)
That said - the DENIED log entry translates to
unix send type=dgram,
You could try if adding this rule to the lxc-autopkgtest-lxc-iomhit_*
profile helps - but if the issue is really on the kernel side, my hope is
limited).
For testing, you could also try with a more broad
unix send,
or even
unix,
rule - but please don't add these broader rules to the production
profile.
Regards,
Christian Boltz
--
you need a certificate, nobody knows how to do that securely (including
the CAs ;-) [Bernd Paysan, https://bugs.kde.org/show_bug.cgi?id=131083]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20230831/f30a889f/attachment-0001.sig>
More information about the pkg-apparmor-team
mailing list