Control: tag -1 + upstream Hi,
johnw: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898025 > Over the year, if I enable apparmor for lxc (lxc.aa_profile = > lxc-container-default), > I see a lot of "apparmor denied" messages like below, > But the lxc itself is can running and functional without a problem, > Why apparmor always complain lxc? (is this normal)? First of all, disclaimer: I know extremely little about LXC and the way it uses AppArmor confinement. > apparmor="DENIED" operation="mount" info="failed type match" > error=-13 profile="lxc-container-default" name="/sys/fs/pstore/" > pid=2676 comm="mount" fstype="pstore" srcname="pstore" FWIW I've looked at recent Ubuntu packages (2.0.8-0ubuntu1~16.04.1 and 3.0.1-0ubuntu1) and none of them have AppArmor rules for /sys/fs/pstore. It looks like an upstream bug to me because both Ubuntu and Debian have: config/templates/ubuntu.common.conf.in:lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 … so it seems expected that the container will mount /sys/fs/pstore and then a rule is missing. > apparmor="DENIED" operation="mount" info="failed flags match" > error=-13 profile="lxc-container-default" name="/" pid=2763 > comm="mount" flags="rw, remount" I guess the "remount" flag is the problem. I guess it depends on what LXC template you're using. Cheers, -- intrigeri
