[pkg-lxc-devel] Bug#918842: AppArmor profile lxc-containers not loaded on installation, leading to operation="change_profile" info="label not found"

Bernhard Schmidt berni at debian.org
Wed Jan 9 20:51:27 GMT 2019 

Package: lxc
Version: 1:3.1.0-1
Severity: important

Hi,

I freshly installed lxc on my testing box and could not run a container with weird error messages

root at BOTOX:/etc/apparmor.d# lxc-start autopkgtest-unstable-amd64 -F
lxc-start: autopkgtest-unstable-amd64: lsm/lsm.c: lsm_process_label_set_at: 174 No such file or directory - Failed to set AppArmor label "lxc-container-default-cgns"
lxc-start: autopkgtest-unstable-amd64: lsm/apparmor.c: apparmor_process_label_set: 1102 Failed to change AppArmor profile to lxc-container-default-cgns
lxc-start: autopkgtest-unstable-amd64: sync.c: __sync_wait: 62 An error occurred in another process (expected sequence number 5)
lxc-start: autopkgtest-unstable-amd64: start.c: __lxc_start: 1972 Failed to spawn container "autopkgtest-unstable-amd64"
lxc-start: autopkgtest-unstable-amd64: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: autopkgtest-unstable-amd64: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options

This is caused by this AppArmor DENIED

Jan 09 21:44:50 BOTOX audit[15070]: AVC apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="unconfined" name="lxc-container-default-cgns" pid=15070 comm="lxc-start"
Jan 09 21:44:50 BOTOX kernel: audit: type=1400 audit(1547066690.033:61): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="unconfined" name="lxc-container-default-cgns" pid=15070 comm="lxc-start"

After running

apparmor_parser to load the lxc-configuration profile it works

root at BOTOX:/etc/apparmor.d# apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers
root at BOTOX:/etc/apparmor.d# lxc-start autopkgtest-unstable-amd64 -F                
systemd 240 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
Detected virtualization lxc.
Detected architecture x86-64.

I assume a reboot would have helped as well, possibly this just needs to be added to postinst?

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'stable'), (400, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc depends on:
ii  debconf [debconf-2.0]  1.5.69
ii  libc6                  2.28-2
ii  libcap2                1:2.25-1.2
ii  libgnutls30            3.6.5-2
ii  liblxc1                1:3.1.0-1
ii  libseccomp2            2.3.3-3
ii  libselinux1            2.8-1+b1
ii  lsb-base               10.2018112800

Versions of packages lxc recommends:
ii  bridge-utils                 1.5-16
ii  debootstrap                  1.0.112
ii  dirmngr                      2.2.12-1
ii  dnsmasq-base [dnsmasq-base]  2.80-1
ii  gnupg                        2.2.12-1
ii  iproute2                     4.19.0-2
ii  iptables                     1.8.2-3
ii  libpam-cgfs                  1:3.1.0-1
ii  lxc-templates                3.0.3-1
ii  lxcfs                        3.0.3-2
ii  nftables                     0.9.0-2
ii  openssl                      1.1.1a-1
ii  rsync                        3.1.3-1
ii  uidmap                       1:4.5-1.1

Versions of packages lxc suggests:
ii  apparmor     2.13.2-3
ii  btrfs-progs  4.19.1-1
ii  lvm2         2.03.02-1
pn  python3-lxc  <none>

-- debconf information:
* lxc/auto_update_config: true

More information about the Pkg-lxc-devel mailing list