Hello, Am Donnerstag, 31. August 2023, 08:41:59 CEST schrieb Michael Biebl: > What we found so far is, that the AppArmor policy of lxc breaks any > systemd service using PrivateNetwork=yes or PrivateIPC=yes when being > run under lxc (running under bookworm using the bookworm kernel). > I wonder what the best course of action is here. > Should we disable the AA policy of lxc via a stable upload of the lxc > package until the root cause is found? > > Unfortunately I know too little about AppArmor and lxc's AppArmor > policy and my attempts to ask around for help weren't successful so > far.
Two quick hints, but let me warn you that I'm not familiar with lxc and also didn't check the content of the lxc-autopkgtest-lxc-iomhit_* profile. https://github.com/lxc/lxc/issues/4333 indicates that this issue was fixed in (much) a newer kernel - but that's probably not news to you since you wrote that comment ;-) That said - the DENIED log entry translates to unix send type=dgram, You could try if adding this rule to the lxc-autopkgtest-lxc-iomhit_* profile helps - but if the issue is really on the kernel side, my hope is limited). For testing, you could also try with a more broad unix send, or even unix, rule - but please don't add these broader rules to the production profile. Regards, Christian Boltz -- you need a certificate, nobody knows how to do that securely (including the CAs ;-) [Bernd Paysan, https://bugs.kde.org/show_bug.cgi?id=131083]
signature.asc
Description: This is a digitally signed message part.
