This is not actually a container problem but an apparmor3 problem. You can reproduce it by using aa-exec on the host (with any profile) starting with commit b3c3d641f1de (UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot) of the wily kernel: see https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/wily/log/security/apparmor Also if I change my postfix service files on my host to use aa-exec so they're even in the same profile and then run mailq with aa-exec, or even just socat on that socket, the connect() will succeed, the read() will EACCESS. We also managed to hit the case described in 1390223 where executing mailq in a loop will *sometimes* succeed (though I could not myself reproduce this on my host machine.) We do have a server where it fails in only *some* containers (the only significant difference between them is that one set is 32 bit and one is 64 bit, but I couldn't reproduce that by simply running 32 bit postfix binaries on the host, so the differences might go beyond that). Here's an example session with the wily kernel and postfix on a host modified to spawn with aa-exec: # ps aux |grep postfix root 556 0.0 0.5 108108 5124 ? Ss 10:21 0:00 /usr/lib/postfix/bin/master -w postfix 557 0.0 0.6 110176 6868 ? S 10:21 0:00 pickup -l -t unix -u postfix 558 0.0 0.6 110224 6768 ? S 10:21 0:00 qmgr -l -t unix -u postfix 560 0.0 0.6 110176 6808 ? S 10:21 0:00 showq -t unix -u # aa-status |grep -A5 'processes are in enforce mode.' 4 processes are in enforce mode. lxc-container-default (556) lxc-container-default (557) lxc-container-default (558) lxc-container-default (560) 0 processes are in complain mode. # lsof -n |grep showq master 556 root 61u unix 0xffff88003c99e000 0t0 12486 public/showq type=STREAM # aa-exec -p lxc-container-default -- mailq postqueue: warning: close: Permission denied # aa-exec -p lxc-container-default -- socat UNIX:/var/spool/postfix/public/showq - 2015/11/03 10:23:48 socat[597] E read(5, 0x2103a00, 8192): Permission denied # strace -f -- aa-exec -p lxc-container-default -- mailq (...) socket(PF_LOCAL, SOCK_STREAM, 0) = 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR) = 0 connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0 poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}]) read(4, 0x5606d5407f00, 4096) = -1 EACCES (Permission denied) log: Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 03 10:25:08 akern audit[643]: SYSCALL arch=c000003e syscall=0 success=no exit=-13 a0=4 a1=55bdbc538f00 a2=1000 a3=3dc items=0 ppid=433 pid=643 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=75 sgid=75 fsgid=75 tty=pts3 ses=3 comm="postqueue" exe="/usr/bin/postqueue" key=(null) Nov 03 10:25:08 akern audit: PROCTITLE proctitle=706F73747175657565002D70 Nov 03 10:25:08 akern postfix/postqueue[643]: warning: close: Permission denied