Comment 2 for bug 1991141

Revision history for this message
John Johansen (jjohansen) wrote :

Is there anymore info for this? Any kernel messages?

From the error itself we can determine
The parser has root/admin privileges as it passed an early check for that without giving an error.
It was able to open the kernel interface to remove the profile.
The likely error here is that it is not policy_admin_capable in the current namespace (ie. container).

AppArmor would log a message to the kernel that the task does not have cap MAC_ADMIN if this is the case.

If this is the case the container will need to be setup to have that capability.