[pkg-lxc-devel] Bug#898025: lxc: apparmor="DENIED" operation="mount" info="failed flags match" error=-13

Fri Oct 26 13:47:44 BST 2018

Hi, sorry for late reply,
I think it's not bug.
Because I removed systemd, either if I reinstall systemd, or I add some mount rules to apparmor , then the denied messages gone.
Thank you for help, thanks.

On 2018年10月26日 下午5:55:02 [GMT+08:00], intrigeri <intrigeri at debian.org> wrote:
>Control: tag -1 - upstream
>Control: tag -1 + moreinfo
>
>Hi,
>
>kaka:
>> Over the year, if I enable apparmor for lxc (lxc.aa_profile =
>lxc-container-default),
>
>First, I don't think you need to turn this on manually and I doubt
>this is the best AppArmor profile to use. According to
>lxc.container.conf(5):
>
>   APPARMOR PROFILE
>If lxc was compiled and installed with apparmor support, and the host 
>sys‐
>tem  has  apparmor  enabled, then the apparmor profile under which the
>con‐
>tainer should be run can be specified in the container  configuration. 
>The
>default  is  lxc-container-default-cgns if the host kernel is cgroup
>names‐
>       pace aware, or lxc-container-default othewise.
>
>So not setting lxc.aa_profile at all should automatically select the
>lxc-container-default-cgns profile. Not that it would make
>a difference for this bug though.
>
>> I see a lot of "apparmor denied" messages like below,
>> But the lxc itself is can running and functional without a problem,
>> Why apparmor always complain lxc? (is this normal)?
>
>> apparmor="DENIED" operation="mount" info="failed type match"
>error=-13 profile="lxc-container-default" name="/sys/fs/pstore/"
>pid=2676 comm="mount" fstype="pstore" srcname="pstore"
>> apparmor="DENIED" operation="mount" info="failed type match"
>error=-13 profile="lxc-container-default" name="/sys/fs/pstore/"
>pid=2676 comm="mount" fstype="pstore" srcname="pstore" flags="ro"
>> apparmor="DENIED" operation="mount" info="failed flags match"
>error=-13 profile="lxc-container-default" name="/" pid=2763
>comm="mount" flags="rw, remount"
>
>On current sid:
>
> - I cannot reproduce this with the lxc-debian template, which is
>   expected since it has no lxc.mount.entry for /sys/fs/pstore
>
> - I cannot reproduce this with the lxc-ubuntu template (which _has_
>   a lxc.mount.entry for /sys/fs/pstore) either:
>
>     # lxc-create -n ubuntu -t /usr/share/lxc/templates/lxc-ubuntu
>     […]
>     # lxc-start -F -n ubuntu
>     […]
>     Ubuntu 16.04.5 LTS ubuntu console
>
>     ubuntu login: ubuntu
>     Password: 
>     […]
>     $ ubuntu at ubuntu:~$ mount | grep pstore
> pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
>
>   And there's no single AppArmor denial in the host system's logs.
>   aa-status confirms that this container is running under the
>   lxc-container-default-cgns profile.
>
>So, can you still reproduce this on current testing/sid?
>If yes, can you please share a simple reproducer similar to the one
>I've tried to provide above?
>
>Cheers,
>-- 
>intrigeri

Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20181026/7e9bd766/attachment.html>