[prev in list] [next in list] [prev in thread] [next in thread]
List: lxc-users
Subject: [lxc-users] How to avoid apparmor="DENIED" for remount in container
From: Kees Bakker <keesb () ghs ! com>
Date: 2019-07-03 9:25:44
Message-ID: 82a03064-25f0-6359-9db2-f0692b5c812a () ghs ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hey,
In a container I'm running some Apache/PHP service (in this case LibreNMS). This \
service is causing an annoying error in /var/log/syslog which I get to see in \
logwatch. The error message is triggered by a remount done by phpsessionclean, I \
think.
Here is a sample of the syslog message
Jul 3 06:39:01 maas kernel: [4912175.444878] audit: type=1400 \
audit(1562128741.931:85397): apparmor="DENIED" operation="mount" info="failed flags \
match" error=-13 profile="lxd-librenms_</var/lib/lxd>" name="/home/" pid=2336 \
comm="(ionclean)" flags="ro, nosuid, nodev, remount, bind"
The same issue was discussed before [1]. At the time it was reported for
LXD 3.0.1. Stephane replied with
"Looks like a process inside one of your containers is trying to remount /bin \
read-only, possibly just in a private namespace. That’s currently not allowed by the \
apparmor policy in LXD 3.0.1 which you’re using.
I believe we have actually refreshed that very bit of policy so LXD 3.0.2 (once \
released) should silence this and also unblock whatever that process is trying to \
do."
Today, I'm running LXD 3.0.3 and the error is still there.
How can I suppress this error?
[1] https://discuss.linuxcontainers.org/t/apparmor-denied-operation-mount/2424
--
Kees
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hey,<br>
<br>
In a container I'm running some Apache/PHP service (in this case
LibreNMS). This service<br>
is causing an annoying error in /var/log/syslog which I get to see
in logwatch. The error<br>
message is triggered by a remount done by phpsessionclean, I think.<br>
<br>
Here is a sample of the syslog message<br>
<br>
<tt>Jul 3 06:39:01 maas kernel: [4912175.444878] audit: type=1400
audit(1562128741.931:85397): apparmor="DENIED" operation="mount"
info="failed flags match" error=-13
profile="lxd-librenms_</var/lib/lxd>" name="/home/" pid=2336
comm="(ionclean)" flags="ro, nosuid, nodev, remount, bind"</tt><tt><br>
</tt><br>
The same issue was discussed before [1]. At the time it was reported
for<br>
LXD 3.0.1. Stephane replied with<br>
<br>
"Looks like a process inside one of your containers is trying to
remount /bin read-only,<br>
possibly just in a private namespace. That’s currently not
allowed by the apparmor policy<br>
in LXD 3.0.1 which you’re using.
<div class="cooked">
<br>
I believe we have actually refreshed that very bit of policy so
LXD 3.0.2 (once released)<br>
should silence this and also unblock whatever that process is
trying to do."<br>
<br>
Today, I'm running LXD 3.0.3 and the error is still there.<br>
How can I suppress this error?<br>
<br>
[1]
<a class="moz-txt-link-freetext" \
href="https://discuss.linuxcontainers.org/t/apparmor-denied-operation-mount/2424">https://discuss.linuxcontainers.org/t/apparmor-denied-operation-mount/2424</a><br>
-- <br>
Kees<br>
</div>
</body>
</html>
[Attachment #6 (text/plain)]
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic