'[lxc-users] How to avoid apparmor="DENIED" for remount in container'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lxc-users
Subject:    [lxc-users] How to avoid apparmor="DENIED" for remount in container
From:       Kees Bakker <keesb () ghs ! com>
Date:       2019-07-03 9:25:44
Message-ID: 82a03064-25f0-6359-9db2-f0692b5c812a () ghs ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hey,

In a container I'm running some Apache/PHP service (in this case LibreNMS). This \
service is causing an annoying error in /var/log/syslog which I get to see in \
logwatch. The error message is triggered by a remount done by phpsessionclean, I \
think.

Here is a sample of the syslog message

Jul  3 06:39:01 maas kernel: [4912175.444878] audit: type=1400 \
audit(1562128741.931:85397): apparmor="DENIED" operation="mount" info="failed flags \
match" error=-13 profile="lxd-librenms_</var/lib/lxd>" name="/home/" pid=2336 \
comm="(ionclean)" flags="ro, nosuid, nodev, remount, bind"

The same issue was discussed before [1]. At the time it was reported for
LXD 3.0.1. Stephane replied with

   "Looks like a process inside one of your containers is trying to remount /bin \
read-only,  possibly just in a private namespace. That’s currently not allowed by the \
apparmor policy  in LXD 3.0.1 which you’re using.

    I believe we have actually refreshed that very bit of policy so LXD 3.0.2 (once \
released)  should silence this and also unblock whatever that process is trying to \
do."

Today, I'm running LXD 3.0.3 and the error is still there.
How can I suppress this error?

[1] https://discuss.linuxcontainers.org/t/apparmor-denied-operation-mount/2424
-- 
Kees


[Attachment #5 (text/html)]

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hey,<br>
    <br>
    In a container I'm running some Apache/PHP service (in this case
    LibreNMS). This service<br>
    is causing an annoying error in /var/log/syslog which I get to see
    in logwatch. The error<br>
    message is triggered by a remount done by phpsessionclean, I think.<br>
    <br>
    Here is a sample of the syslog message<br>
    <br>
    <tt>Jul  3 06:39:01 maas kernel: [4912175.444878] audit: type=1400
      audit(1562128741.931:85397): apparmor="DENIED" operation="mount"
      info="failed flags match" error=-13
      profile="lxd-librenms_&lt;/var/lib/lxd&gt;" name="/home/" pid=2336
      comm="(ionclean)" flags="ro, nosuid, nodev, remount, bind"</tt><tt><br>
    </tt><br>
    The same issue was discussed before [1]. At the time it was reported
    for<br>
    LXD 3.0.1. Stephane replied with<br>
    <br>
      "Looks like a process inside one of your containers is trying to
    remount /bin read-only,<br>
       possibly just in a private namespace. That’s currently not
    allowed by the apparmor policy<br>
       in LXD 3.0.1 which you’re using.
    <div class="cooked">
      <br>
         I believe we have actually refreshed that very bit of policy so
      LXD 3.0.2 (once released)<br>
         should silence this and also unblock whatever that process is
      trying to do."<br>
      <br>
      Today, I'm running LXD 3.0.3 and the error is still there.<br>
      How can I suppress this error?<br>
      <br>
      [1]
<a class="moz-txt-link-freetext" \
href="https://discuss.linuxcontainers.org/t/apparmor-denied-operation-mount/2424">https://discuss.linuxcontainers.org/t/apparmor-denied-operation-mount/2424</a><br>
                
      -- <br>
      Kees<br>
    </div>
  </body>
</html>


[Attachment #6 (text/plain)]

_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic