overlayroot read-only mode apparmor dhclient DENIED

Following the above description.
I have known a solution:
~$ sudo ln -s /etc/apparmor.d/sbin.dhclient /etc/apparmor.d/disable/
~$ sudo /etc/init.d/apparmor reload
~$ sudo /etc/init.d/apparmor restart
~$ sudo /etc/init.d/networking restart
~$ sudo dhclient enp0s3

but I think this method is insecurity.I want to know Why did it happen?And How to fix it.

I am using "ubuntu-15.10-desktop-amd64.iso" and "overlayroot".

need any help
Thanks

Hello zy,

Be very careful with /etc/init.d/networking restart --- this can cause severe instability issues on Ubuntu systems. Some versions have this script modified to prevent the trouble, but some don't. The ifupdown tools should be used to restart specific interfaces instead. I know that's insanely confusing, but it's just the way it is.

The AppArmor problem is the "Failed name lookup - disconnected path" entry. This means that the process is running in a filesystem namespace (perhaps a chroot?) where the filename doesn't actually exist. The usual way forward is to add flags=(attach_disconnected) to the profile, e.g.:

/sbin/dhclient flags=(attach_disconnected) { ...

If that isn't sufficient for you, this may be related to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1408106 -- but I must admit I don't know the details of why overlayfs doesn't work well with AppArmor.

Thanks

Dear Seth Arnold,

OH,It`s amazing.with the attach_disconnected, It is seem to work .
It`s a good way to solve the trouble.Thank you for your answer.
if I find some valuable thing about the trouble,I will be post here.

Best Regard,
zy

Dear Seth Arnold,

Recently, I use this method " attach_disconnected " in the virtualbox.However, this method does not seem stable, often unable to get online.

Best Regard,
zy

I find the relevant information about this issue.

"Unless specifically directed to connect the path,OR if in a chroot and doing chroot relative paths and the path resolves to the namespace root (would be connected outside of chroot) and specifically directed to connect paths to namespace root."

"we could extend attach_disconnected so that we can define the attach root. Eg, we can use profile foo (attach_disconnected=/mnt) {} such that '/bin/bash' maps to '/mnt/bin/bash'."

> Recently, I use this method " attach_disconnected " in the virtualbox.
> However, this method does not seem stable, often unable to get online.

Using the attach_disconnected flag should at least give you different log events ;-)

Can you please check /var/log/kernel.log and post some "new" log lines?

Hello - I'm requesting that you answer the question in comment 6 so that we can fix this bug for you. Thank you!

I think I fix the issue.

[ 22.126997] audit: type=1400 audit(1502779554.863:21): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/NetworkManager/nm-dhcp-helper" name="etc/ld.so.cache"

You can find that the path which is looking for is relative path "name="etc/ld.so.cache"" , so I added attach_disconnected=/ to /etc/apparmor.d/sbin.dhclient.

Sorry, it's been so long to feedback information.