we do have several apparmor denials in there but none of them are directly related to namespace creation. I have pasted then below just to make sure they don't disappear when the pastebin is reaped. It is possible that one of these denials is blocking the creation of a namespace if its calling a function that setups the namespace to fail before doing the actual namespace creation but I think this unlikely just because the paths don't line up with /run/user/
More concerning is
[ 58.869512] kauditd_printk_skb: 66 callbacks suppressed
which means we are missing some messages. Generally setting /proc/sys/kernel/printk_ratelimit to 0 will fix this and let us get most if not all of the missing messages if the test is rerun.
ie.
echo 0 > /proc/sys/kernel/printk_ratelimit
rerun test
grab log
we do have several apparmor denials in there but none of them are directly related to namespace creation. I have pasted then below just to make sure they don't disappear when the pastebin is reaped. It is possible that one of these denials is blocking the creation of a namespace if its calling a function that setups the namespace to fail before doing the actual namespace creation but I think this unlikely just because the paths don't line up with /run/user/
More concerning is
[ 58.869512] kauditd_printk_skb: 66 callbacks suppressed
which means we are missing some messages. Generally setting /proc/sys/ kernel/ printk_ ratelimit to 0 will fix this and let us get most if not all of the missing messages if the test is rerun. kernel/ printk_ ratelimit
ie.
echo 0 > /proc/sys/
rerun test
grab log
[ 58.869517] audit: type=1400 audit(167575785 2.408:120) : apparmor="DENIED" operation="capable" class="cap" profile= "/usr/lib/ snapd/snap- confine" pid=1986 comm="snap-confine" capability=12 capname="net_admin" 2.408:121) : apparmor="DENIED" operation="capable" class="cap" profile= "/usr/lib/ snapd/snap- confine" pid=1986 comm="snap-confine" capability=38 capname="perfmon" 2.428:122) : apparmor="DENIED" operation="getattr" class="file" profile= "snap-update- ns.slack" name="/ meta/snap. yaml" pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.432:123) : apparmor="DENIED" operation="getattr" class="file" profile= "snap-update- ns.slack" name="/ etc/apparmor. d/cache/ " pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.460:124) : apparmor="DENIED" operation="getattr" class="file" profile= "snap-update- ns.slack" name="/ usr/local/ share/fonts/ " pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.460:125) : apparmor="DENIED" operation="getattr" class="file" profile= "snap-update- ns.slack" name="/ usr/local/ share/" pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.464:126) : apparmor="DENIED" operation="getattr" class="file" profile= "snap-update- ns.slack" name="/ var/lib/ snapd/hostfs/ usr/share/ fonts/" pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.508:127) : apparmor="DENIED" operation="getattr" class="file" profile= "snap-update- ns.slack" name="/ usr/local/ share/fonts/ " pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2.561:128) : apparmor="DENIED" operation="getattr" class="file" profile= "snap-update- ns.slack" name="/ meta/snap. yaml" pid=2009 comm="5" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 2.561:129) : apparmor="DENIED" operation="getattr" class="file" profile= "snap-update- ns.slack" name="/ etc/apparmor. d/cache/ " pid=2009 comm="5" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 58.869556] audit: type=1400 audit(167575785
[ 58.891561] audit: type=1400 audit(167575785
[ 58.893320] audit: type=1400 audit(167575785
[ 58.923054] audit: type=1400 audit(167575785
[ 58.923069] audit: type=1400 audit(167575785
[ 58.925563] audit: type=1400 audit(167575785
[ 58.972193] audit: type=1400 audit(167575785
[ 59.020734] audit: type=1400 audit(167575785
[ 59.021624] audit: type=1400 audit(167575785