AppArmor denies named startup

[Ymo]

Hey

I'm currently running a CentOS 7 LXC container on Proxmox 4. When I try to start named it gets a permission denied error when trying to check /etc/named.conf. This is what systemd gives on the guest system:

systemd[2004]: Failed at step NAMESPACE spawning /usr/sbin/named-checkconf: Permission denied

On the host system I get this in the syslog:

[ 3103.353857] audit: type=1400 audit(1445010184.626:58): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=17805 comm="mount" flags="rw, remount

And using auditd logging I get this:

type=AVC msg=audit(1445011335.870:74): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=26196 comm="(heckconf)" flags="rw, rslave"      type=SYSCALL msg=audit(1445011335.870:74): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=55cb0
87ca8ee a2=0 a3=84000 items=0 ppid=17627 pid=26196 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(heckconf)" exe="/usr/lib/systemd/systemd" key=(null)           type=PROCTITLE msg=audit(1445011335.870:74): proctitle="(heckconf)"
type=SERVICE_START msg=audit(1445011335.898:75): pid=17627 uid=0 auid=1000 ses=1 msg=' comm="named" ex
e="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

Is there anyone with AppArmor experience that can point me in the right direction of resolving this issue?

 

[wheaties82]

I had same issue, same errors. I couldn't figure out how to leave the named profile enabled and still get bind9 to start. So I disabled the apparmor profile for named.I used the following commands below. Disable named profile in apparmor

ln -s /etc/apparmor.d/usr.sbin.named /etc/apparmor.d/disable/

Reload named profile in apparmor

apparmor_parser -R /etc/apparmor.d/usr.sbin.named

Restart bind

service bind9 restart

Make sure bind is running

systemctl status bind9 service

These commands moved the named profile into disable mode and allowed bind9 to restart. I know this is the most 'secure' way to do this - but for my SOHO system with no external open ports this works for me until I can find documentation explaining how to allow bind and apparmor to get along.

 

[Ovidiu]

I got some "similar" looking apparmor logs, should I also follow your advice of turning the apparmor profile for named off?

kernel: [84924.943455] audit: type=1400 audit(1446588837.269:739): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/named" name="/run/systemd/journal/dev-log" pid=1157 comm="named" requested_mask="w" denied_mask="w" fsuid=109 ouid=0

 

[wheaties82]

I haven't heard of any better response yet to allow named and apparmor to work together. Disable at your own risk.

 

[TBarbette]

I still have the same problem... However I don't have named on my proxmox machine, only inside the container.
So the file /etc/apparmor.d/usr.sbin/named does not exist and I cannot apply the proposed solution.

Nov 10 14:10:50 charlemagne kernel: [340367.115654] audit: type=1400 audit(1447161050.952:16): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=6081 comm="(heckconf)" flags="rw, rslave

The guest is a Centos 7.

 

[matthew]

Seeing same issue. Cannot get named to start on a Centos 7 LXC container.

 

[matthew]

Has anyone tried this fix?

http://forum.proxmox.com/threads/24416-Centos-7-LXC-Container-and-Bind?p=122896#post122896

 

[TBarbette]

I got back to KVM. My LXC containers cannot be backed up too... I'll just wait more time for LXC CT support to be more ready/stable, without having to hack here and there for all of them.

 

[wbumiller]

My opinion: there'll always be something to hack around in containers with the way things are currently developing (outside of proxmox). With SystemD people started adding flags to make use of all kinds of features (private dirs, namespace changes etc.) and most people don't think about containers when writing service files. Then there's the thing with AppArmor 3 still being buggy and that most people apparently aren't using it yet without containers. LXD seems to not be using it either and instead uses unprivileged containers (this solves some problems while creating others...) (we're experimenting with unprivileged container support, too, currently, so that could help).

 

[matthew]

>>> (we're experimenting with unprivileged container support, too, currently, so that could help).

How is that going? Will that be introduced?

 

[matthew]

>>> (we're experimenting with unprivileged container support, too, currently, so that could help).

How is that going? Will that be introduced?

So how do unprivileged containers work in 4.1? How do we enable this? Can AppArmor safely be turned off now or how does that work?