After Upgrade to 4: apparmor errors in syslog

[moarph]

Hello since the update I get many error in syslog (especially during Backup which seems to fail):

Oct 23 08:20:17 beta-vi kernel: audit: type=1400  audit(1445581217.935:32): apparmor="DENIED" operation="file_perm"  profile="lxc-container-default" name="private/bounce" pid=25387  comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:17 beta-vi kernel: audit: type=1400 audit(1445581217.935:33): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=25387 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.007:34): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=25724 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.007:35): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=25724 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.011:36): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.011:37): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.063:38): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.063:39): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.103:40): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.103:41): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0

 

[RobFantini]

we use postfix in a few lxc systems. /var/log/syslog has many of these:

Oct 25 06:21:08 mail-new kernel: [1290868.375606] audit: type=1400 audit(1445768468.666:1450511): apparmor="DENIED" opera
tion="file_perm" profile="lxc-container-default" name="private/defer" pid=23873 comm="lmtp" requested_mask="r" denied_mas
k="r" fsuid=100 ouid=0

# a different system:
Oct 25 06:21:03 imap kernel: [1290863.379725] audit: type=1400 audit(1445768463.666:1448340): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/defer" pid=23756 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=100 ouid=0

any clues on dealing with this ?

 

[moarph]

I have postfix running as well...thanks for the hint...maybe a configuarion error in postfi? however i did not have an errors in syslog with openvz...

 

[RobFantini]

I have postfix running as well...thanks for the hint...maybe a configuarion error in postfi? however i did not have an errors in syslog with openvz...

I'm unfamiliar with apparmor , so will need to check how to configure it sometime.. in the middle of a few other projects so it'll be a couple of weeks before checking further into this.

 

[peje]

Easy to reproduce: create lxc container install postfix and execute the mailq command in it:

Oct 25 19:52:55 server kernel: audit: type=1400 audit(1445799175.890:1587): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=5100 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

What I found via google it is kernel related...
cu peje

 

[RobFantini]

Easy to reproduce: create lxc container install postfix and execute the mailq command in it:

What I found via google it is kernel related...
cu peje

here apparmor is installed on pve host not in the lxc . so we'll need to look at lxc config / setup .

 

[tgoetten]

I'm facing the same problem. After a successfull upgrade to version 4 i get this error message on all of my guests.So how do i enable "globally" that the guest are able to use postfix?

 

[dietmar]

I guess this is the m´same problem described here?

https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906

Please can you test that?

 

[RobFantini]

I had seen that and https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1390223 when searching a few weeks ago.

did not see a solution in those threads. was there something to test?

Postfix seems to work OK, however we're not going to put our main smtp server to lxc until the bug is fixed.

 

[dietmar]

was there something to test?

Can you trigger the bug using mailq?

 

[RobFantini]

yes

# mailq
postqueue: warning: close: Permission denied

# dmesg
[1375647.095448] audit: type=1400 audit(1445853329.624:1543305): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=29520 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[1375647.095454] audit: type=1400 audit(1445853329.624:1543306): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=29520 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

 

[tgoetten]

Any news on this? I tried to disable Apparmor (service apparmor stop) and restarted the guest - but the permission problems still persist.

How do i (temporarily) disable apparmor completly?

 

[F_M]

Hi, You can add this line in container config (/etc/pve/lxc/.config) to disable apparmor :

lxc.aa_profile: unconfined

It's worked for me on CentoS 7 host with systemd.

 

[RobFantini]

Hi, You can add this line in container config (/etc/pve/lxc/.config) to disable apparmor :

lxc.aa_profile: unconfined

It's worked for me on CentoS 7 host with systemd.

that fixed the issue for us. Thank you

 

[RobFantini]

I wonder if disabling apparmor is a bad thing to do.

There is probably a simple setting to adjust. The new Debian Handbook for Debian 8 Jessie has a section on apparmor : https://debian-handbook.info/browse/jessie/sect.apparmor.html ... there is always more to learn!

 

[F_M]

I wonder if disabling apparmor is a bad thing to do. There is probably a simple setting to adjust. The new Debian Handbook for Debian 8 Jessie has a section on apparmor : https://debian-handbook.info/browse/jessie/sect.apparmor.html ... there is always more to learn!

I agree with you, the best thing to do is to find/create a profile that allow systemd working.

 

[tgoetten]

Is it really just an Apparmor issue? I tried the above mentioned solution to add lxc.aa_profile: unconfined. At first the error for postfix went away. But on Ubuntu based machines i get error messages when logging in via ssh as root on my VPS :

Server refused to allocate pty
stdin: is not a tty

So i would prefer creating a new profile. Did anyone tried this already and can assist in creating a new profile?

 

[Ovidiu]

There are plenty of threads about apparmor problems and yet I couldn't find any "solution" or user created profiles. I'm definitely not knowledgeable enough to profile and compile my own set of profiles so I guess I'll be turning off apparmor pretty soon.