After Upgrade to 4: apparmor errors in syslog

moarph

Active Member
Dec 22, 2013
31
0
26
Hello since the update I get many error in syslog (especially during Backup which seems to fail):
Code:
Oct 23 08:20:17 beta-vi kernel: audit: type=1400  audit(1445581217.935:32): apparmor="DENIED" operation="file_perm"  profile="lxc-container-default" name="private/bounce" pid=25387  comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:17 beta-vi kernel: audit: type=1400 audit(1445581217.935:33): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=25387 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.007:34): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=25724 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.007:35): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=25724 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.011:36): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.011:37): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.063:38): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.063:39): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.103:40): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.103:41): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
 

RobFantini

Renowned Member
May 24, 2012
1,959
85
68
Boston,Mass
we use postfix in a few lxc systems. /var/log/syslog has many of these:
Code:
Oct 25 06:21:08 mail-new kernel: [1290868.375606] audit: type=1400 audit(1445768468.666:1450511): apparmor="DENIED" opera
tion="file_perm" profile="lxc-container-default" name="private/defer" pid=23873 comm="lmtp" requested_mask="r" denied_mas
k="r" fsuid=100 ouid=0

# a different system:
Oct 25 06:21:03 imap kernel: [1290863.379725] audit: type=1400 audit(1445768463.666:1448340): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/defer" pid=23756 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=100 ouid=0


any clues on dealing with this ?
 

moarph

Active Member
Dec 22, 2013
31
0
26
I have postfix running as well...thanks for the hint...maybe a configuarion error in postfi? however i did not have an errors in syslog with openvz...
 

RobFantini

Renowned Member
May 24, 2012
1,959
85
68
Boston,Mass
I have postfix running as well...thanks for the hint...maybe a configuarion error in postfi? however i did not have an errors in syslog with openvz...

I'm unfamiliar with apparmor , so will need to check how to configure it sometime.. in the middle of a few other projects so it'll be a couple of weeks before checking further into this.
 

peje

Member
Jul 4, 2015
12
0
21
Easy to reproduce: create lxc container install postfix and execute the mailq command in it:
Oct 25 19:52:55 server kernel: audit: type=1400 audit(1445799175.890:1587): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=5100 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
What I found via google it is kernel related...
cu peje
 

RobFantini

Renowned Member
May 24, 2012
1,959
85
68
Boston,Mass
Easy to reproduce: create lxc container install postfix and execute the mailq command in it:

What I found via google it is kernel related...
cu peje

here apparmor is installed on pve host not in the lxc . so we'll need to look at lxc config / setup .
 

tgoetten

New Member
Feb 19, 2014
11
0
1
I'm facing the same problem. After a successfull upgrade to version 4 i get this error message on all of my guests.So how do i enable "globally" that the guest are able to use postfix?
 

RobFantini

Renowned Member
May 24, 2012
1,959
85
68
Boston,Mass
yes
Code:
# mailq
postqueue: warning: close: Permission denied

# dmesg
[1375647.095448] audit: type=1400 audit(1445853329.624:1543305): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=29520 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[1375647.095454] audit: type=1400 audit(1445853329.624:1543306): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=29520 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 

tgoetten

New Member
Feb 19, 2014
11
0
1
Any news on this? I tried to disable Apparmor (service apparmor stop) and restarted the guest - but the permission problems still persist.

How do i (temporarily) disable apparmor completly?
 

F_M

Member
Nov 2, 2014
5
0
21
Hi, You can add this line in container config (/etc/pve/lxc/.config) to disable apparmor :
Code:
lxc.aa_profile: unconfined
It's worked for me on CentoS 7 host with systemd.
 

tgoetten

New Member
Feb 19, 2014
11
0
1
Is it really just an Apparmor issue? I tried the above mentioned solution to add lxc.aa_profile: unconfined. At first the error for postfix went away. But on Ubuntu based machines i get error messages when logging in via ssh as root on my VPS :

Server refused to allocate pty
stdin: is not a tty

So i would prefer creating a new profile. Did anyone tried this already and can assist in creating a new profile?
 

Ovidiu

Active Member
Apr 27, 2014
309
10
38
There are plenty of threads about apparmor problems and yet I couldn't find any "solution" or user created profiles. I'm definitely not knowledgeable enough to profile and compile my own set of profiles so I guess I'll be turning off apparmor pretty soon.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!