[pkg-lxc-devel] Bug#918842: Bug#918842: AppArmor profile lxc-containers not loaded on installation, leading to operation="change_profile" info="label not found"
Pierre-Elliott Bécue
peb at debian.org
Thu Jan 10 10:35:15 GMT 2019
Le 09/01/2019 à 21:51, Bernhard Schmidt a écrit :
> Package: lxc
> Version: 1:3.1.0-1
> Severity: important
>
> Hi,
>
> I freshly installed lxc on my testing box and could not run a container with weird error messages
>
> root at BOTOX:/etc/apparmor.d# lxc-start autopkgtest-unstable-amd64 -F
> lxc-start: autopkgtest-unstable-amd64: lsm/lsm.c: lsm_process_label_set_at: 174 No such file or directory - Failed to set AppArmor label "lxc-container-default-cgns"
> lxc-start: autopkgtest-unstable-amd64: lsm/apparmor.c: apparmor_process_label_set: 1102 Failed to change AppArmor profile to lxc-container-default-cgns
> lxc-start: autopkgtest-unstable-amd64: sync.c: __sync_wait: 62 An error occurred in another process (expected sequence number 5)
> lxc-start: autopkgtest-unstable-amd64: start.c: __lxc_start: 1972 Failed to spawn container "autopkgtest-unstable-amd64"
> lxc-start: autopkgtest-unstable-amd64: tools/lxc_start.c: main: 330 The container failed to start
> lxc-start: autopkgtest-unstable-amd64: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
>
> This is caused by this AppArmor DENIED
>
> Jan 09 21:44:50 BOTOX audit[15070]: AVC apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="unconfined" name="lxc-container-default-cgns" pid=15070 comm="lxc-start"
> Jan 09 21:44:50 BOTOX kernel: audit: type=1400 audit(1547066690.033:61): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="unconfined" name="lxc-container-default-cgns" pid=15070 comm="lxc-start"
>
> After running
>
> apparmor_parser to load the lxc-configuration profile it works
>
> root at BOTOX:/etc/apparmor.d# apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers
> root at BOTOX:/etc/apparmor.d# lxc-start autopkgtest-unstable-amd64 -F
> systemd 240 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
> Detected virtualization lxc.
> Detected architecture x86-64.
>
> I assume a reboot would have helped as well, possibly this just needs to be added to postinst?
Thanks for your report. I'll try to include this change in the next
release of lxc, quite soon!
My bad for missing this, I admit I didn't meet the issue, probably
because my configuration is more relaxed than yours?
Cheers. :)
--
PEB
More information about the Pkg-lxc-devel
mailing list