Don't require use of mediate_deleted with LXC (was: apparmor prevents dpkg-divert and localedef from working in a container)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | AppArmor |
Medium
|
Unassigned | ||
| | apparmor (Ubuntu) |
Medium
|
Unassigned | ||
| | Precise |
Undecided
|
Unassigned | ||
| | linux (Ubuntu) |
Medium
|
Unassigned | ||
| | Precise |
Undecided
|
Unassigned | ||
| | lxc (Ubuntu) |
Undecided
|
Unassigned | ||
| | Precise |
Undecided
|
Unassigned | ||
Bug Description
I moved the daily flavour upgrade testing to a container but it's now failing when running ubuntu-vm-builder, here are the entries from dmesg:
[ 2038.491817] type=1400 audit(133311965
[ 2149.277909] type=1400 audit(133311977
[ 2263.501949] type=1400 audit(133311988
[ 2264.736948] type=1400 audit(133311988
[ 2367.429100] type=1400 audit(133311998
The apparmor profile used for this container is attached.
Related branches
| Stéphane Graber (stgraber) wrote : | #1 |
| Changed in apparmor (Ubuntu): | |
| importance: | Undecided → Critical |
| Changed in apparmor (Ubuntu Precise): | |
| milestone: | none → ubuntu-12.04 |
| Stéphane Graber (stgraber) wrote : | #2 |
| James Page (james-page) wrote : | #3 |
Interestingly when I ser the lxc-container-
sudo aa-complain /etc/apparmor.
I no longer get the issue in the lxc instance - however neither do I get any complaints.
| Launchpad Janitor (janitor) wrote : | #4 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in apparmor (Ubuntu): | |
| status: | New → Confirmed |
| John Johansen (jjohansen) wrote : | #5 |
While I haven't tried this yet, my initial thought when seeing it works in complain mode, but there are no messages is that this is something that is being specifically denied in the profile.
to confirm this we need to disable quieting of explicitly denied messages, we can do this as root with
echo -n "noquiet" > /sys/module/
| JP Viljoen (froztbyte) wrote : | #6 |
Friend of mine solved this, asked me if I can post it, so here goes:
/etc/apparmor.
| John Johansen (jjohansen) wrote : | #7 |
This does indeed seem to be the problem. The current labeling done by apparmor is not enough to avoid needing the mediate_deleted flag on the lxc profiles. Adding the flag will force apparmor to do a name lookup for entries that have been deleted (the name can be reliably be reconstructed), instead of using the default of the cached file label.
I have opened Bug #970647 for the failure to log rejects due to the deleted entry logic.
| Serge Hallyn (serge-hallyn) wrote : | #8 |
@JP
great! Thanks for that. I'll add that for now as a workaround.
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package lxc - 0.7.5-3ubuntu49
---------------
lxc (0.7.5-3ubuntu49) precise; urgency=low
* debian/
-- Serge Hallyn <email address hidden> Mon, 02 Apr 2012 09:38:21 -0500
| Changed in lxc (Ubuntu Precise): | |
| status: | New → Fix Released |
| tags: | added: rls-mgr-p-tracking |
| Jamie Strandboge (jdstrand) wrote : | #10 |
Marking the apparmor task as Won't Fix since the lxc work around is in place. If we pursue this in SRU, it will be through bug #970647.
| Changed in apparmor (Ubuntu Precise): | |
| importance: | Critical → Undecided |
| status: | Confirmed → Won't Fix |
| milestone: | ubuntu-12.04 → none |
| Serge Hallyn (serge-hallyn) wrote : | #11 |
Based on the duplicates, I'm not sure the workaround is working as well as we'd hoped.
John, what are the prospects of bug 970647? How complicated is the fix for it?
| Francesco Del Degan (pr0gg3d) wrote : | #12 |
I'm sorry if this is not the place to report this, but running localedef into a lxc ubuntu container it's affecting quantal right now.
The log line is
[26775.302073] type=1400 audit(135347892
I just fixed adding mediate_deleted into /etc/apparmor.
| John Johansen (jjohansen) wrote : | #13 |
Francesco,
The mediate_deleted flag should fix the rejection shown in comment #12
| John Johansen (jjohansen) wrote : | #14 |
Serge,
see comments on bug 970647, there is some progress but I have not found a specific bug affecting logging of this case. The larger fix which is the extended labeling, is in progress and will enter into the apparmor-dev ppa soon for testing.
| Serge Hallyn (serge-hallyn) wrote : | #15 |
Francesco,
The DENIED message doesn't look right. It says your containern is running in the lxc-start pfofile? it should have transitioned to a container profile when /sbin/init was executed.
I think it is worth opening a new bug about your issue, so we can make sure there isn't more going on.
| Iain Lane (laney) wrote : | #16 |
I get this (newly?) when trying to update within sbuild within lxc
[ 1927.282880] type=1400 audit(138381697
| Serge Hallyn (serge-hallyn) wrote : Re: [Bug 969299] Re: apparmor prevents dpkg-divert and localedef from working in a container | #17 |
Quoting Iain Lane (<email address hidden>):
> I get this (newly?) when trying to update within sbuild within lxc
>
> [ 1927.282880] type=1400 audit(138381697
> operation="getattr" info="Failed name lookup - deleted entry" error=-2
> parent=11717 profile=
lxc-start -> that is not the profile you should be under.
Is this by chance a 3.12 kernel?
| Iain Lane (laney) wrote : | #18 |
On Thu, Nov 07, 2013 at 03:20:29PM -0000, Serge Hallyn wrote:
> Quoting Iain Lane (<email address hidden>):
> > I get this (newly?) when trying to update within sbuild within lxc
> >
> > [ 1927.282880] type=1400 audit(138381697
> > operation="getattr" info="Failed name lookup - deleted entry" error=-2
> > parent=11717 profile=
>
> lxc-start -> that is not the profile you should be under.
>
> Is this by chance a 3.12 kernel?
Sure is. 3.12.0-1-generic
--
Iain Lane [ <email address hidden> ]
Debian Developer [ <email address hidden> ]
Ubuntu Developer [ <email address hidden> ]
| Serge Hallyn (serge-hallyn) wrote : | #19 |
Quoting Iain Lane (<email address hidden>):
> On Thu, Nov 07, 2013 at 03:20:29PM -0000, Serge Hallyn wrote:
> > Quoting Iain Lane (<email address hidden>):
> > > I get this (newly?) when trying to update within sbuild within lxc
> > >
> > > [ 1927.282880] type=1400 audit(138381697
> > > operation="getattr" info="Failed name lookup - deleted entry" error=-2
> > > parent=11717 profile=
> >
> > lxc-start -> that is not the profile you should be under.
> >
> > Is this by chance a 3.12 kernel?
>
> Sure is. 3.12.0-1-generic
The fix for that should be in the trusty kernel I believe mid-next week.
Would you mind opening a new bug against lxc saying that if the
container is in profile lxc-start, and apparmor support is lacking,
it must run unconfined or refuse to run?
| Sidnei da Silva (sidnei) wrote : Re: apparmor prevents dpkg-divert and localedef from working in a container | #20 |
Confirmed fixed in 3.13.0-2-generic, where in 3.13.0-1-generic it was still failing.
| Randall Leeds (randall-leeds) wrote : | #21 |
Any chance this will be fixed in saucy?
| tags: | added: aa-feature |
| Changed in apparmor (Ubuntu): | |
| importance: | Undecided → Medium |
| summary: |
- apparmor prevents dpkg-divert and localedef from working in a container + Don't require use of mediate_deleted with LXC (was: apparmor prevents + dpkg-divert and localedef from working in a container) |
| Changed in apparmor: | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| tags: | added: aa-kernel |
| Changed in linux (Ubuntu Precise): | |
| status: | New → Won't Fix |
| Changed in linux (Ubuntu): | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Changed in apparmor (Ubuntu): | |
| milestone: | ubuntu-12.04 → none |
Reason for critical is that it's making random commands in container fail.
We've already got a few bug reports against udev, postgresql, ... all caused by that issue.