lxc container with postfix, permission denied on mailq
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Tim Gardner | ||
Vivid |
Fix Released
|
Undecided
|
Tim Gardner | ||
Wily |
Fix Released
|
Undecided
|
Tim Gardner | ||
Xenial |
Fix Released
|
Medium
|
Tim Gardner | ||
lxc (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned |
Bug Description
[Impact]
* Users may encounter situations where they use applications, confined by
AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
stream sockets.
* These failures typically occur when the confined applications attempts to
read from an AF_UNIX stream socket when the other end of the socket has
already been closed.
* AppArmor is mistakenly denying the socket operations due to the socket
shutdown operation making the sun_path no longer being available for
AppArmor mediation after the socket is shutdown.
[Test Case]
The expected test case is:
$ sudo apt-get install postfix # installing in 'local only' config is fine
$ cat > bug-profile << EOF
profile bug-profile flags=(
network,
file,
}
EOF
$ sudo apparmor_parser -r bug.profile
$ aa-exec -p bug-profile -- mailq
Mail queue is empty
A failed test case will see the mailq command exit with an error:
$ aa-exec -p bug-profile -- mailq
postqueue: warning: close: Permission denied
and these denials will be found in the syslog:
Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400 audit(145376258
Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400 audit(145376258
[Regression Potential]
* The changes are local to the path-based AF_UNIX stream socket mediation code
so that limits the regression potential to some degree.
* John Johansen authored the patch and I reviewed it. It is small and there's
no obvious areas of concern to me regarding potential regressions.
[Other Info]
* None at this time
[Original bug report]
Hello,
on three Vivid host, all of them up-to-date, I have the problem described here:
https:/
That bug report shows the problem was fixed, but it is not (at least on current Vivid)
ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel image
ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers userspace tools
ii apparmor 2.9.1-0ubuntu9 amd64 User-space parser utility for AppArmor
Reproducible with:
$ sudo lxc-create -n test -t ubuntu
$ sudo lxc-start -n test
(inside container)
$ sudo apt-get install postfix
$ mailq
postqueue: warning: close: Permission denied
dmesg shows:
[82140.386109] audit: type=1400 audit(142966115
---
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
CurrentDesktop: Unity
DistroRelease: Ubuntu 15.04
HibernationDevice: RESUME=
InstallationDate: Installed on 2015-02-27 (53 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
MachineType: LENOVO 20150
Package: linux (not installed)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=
ProcVersionSign
RelatedPackageV
linux-
linux-
linux-firmware 1.143
Tags: vivid
Uname: Linux 3.19.0-15-generic x86_64
UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
UserGroups: adm docker libvirtd lpadmin sambashare sudo
_MarkForUpload: True
dmi.bios.date: 12/19/2012
dmi.bios.vendor: LENOVO
dmi.bios.version: 5ECN95WW(V9.00)
dmi.board.
dmi.board.name: INVALID
dmi.board.vendor: LENOVO
dmi.board.version: 31900004WIN8 STD SGL
dmi.chassis.
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.
dmi.modalias: dmi:bvnLENOVO:
dmi.product.name: 20150
dmi.product.
dmi.sys.vendor: LENOVO
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
Changed in lxc (Ubuntu): | |
status: | Incomplete → Confirmed |
description: | updated |
Changed in linux (Ubuntu Vivid): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | New → In Progress |
Changed in linux (Ubuntu Wily): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | New → In Progress |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | New → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Vivid): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Wily): | |
status: | In Progress → Fix Committed |
Changed in lxc (Ubuntu Xenial): | |
status: | Confirmed → Invalid |
no longer affects: | lxc (Ubuntu Vivid) |
no longer affects: | lxc (Ubuntu Wily) |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1446906
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.