After Upgrade to 4: apparmor errors in syslog

moarph

Active Member
Dec 22, 2013
31
0
26
Hello since the update I get many error in syslog (especially during Backup which seems to fail):
Code:
Oct 23 08:20:17 beta-vi kernel: audit: type=1400  audit(1445581217.935:32): apparmor="DENIED" operation="file_perm"  profile="lxc-container-default" name="private/bounce" pid=25387  comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:17 beta-vi kernel: audit: type=1400 audit(1445581217.935:33): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=25387 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.007:34): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=25724 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.007:35): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=25724 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.011:36): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.011:37): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.063:38): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.063:39): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.103:40): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Oct 23 08:20:18 beta-vi kernel: audit: type=1400 audit(1445581218.103:41): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=19730 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
 
we use postfix in a few lxc systems. /var/log/syslog has many of these:
Code:
Oct 25 06:21:08 mail-new kernel: [1290868.375606] audit: type=1400 audit(1445768468.666:1450511): apparmor="DENIED" opera
tion="file_perm" profile="lxc-container-default" name="private/defer" pid=23873 comm="lmtp" requested_mask="r" denied_mas
k="r" fsuid=100 ouid=0

# a different system:
Oct 25 06:21:03 imap kernel: [1290863.379725] audit: type=1400 audit(1445768463.666:1448340): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/defer" pid=23756 comm="lmtp" requested_mask="r" denied_mask="r" fsuid=100 ouid=0


any clues on dealing with this ?
 
I have postfix running as well...thanks for the hint...maybe a configuarion error in postfi? however i did not have an errors in syslog with openvz...
 
I have postfix running as well...thanks for the hint...maybe a configuarion error in postfi? however i did not have an errors in syslog with openvz...

I'm unfamiliar with apparmor , so will need to check how to configure it sometime.. in the middle of a few other projects so it'll be a couple of weeks before checking further into this.
 
Easy to reproduce: create lxc container install postfix and execute the mailq command in it:
Oct 25 19:52:55 server kernel: audit: type=1400 audit(1445799175.890:1587): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=5100 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
What I found via google it is kernel related...
cu peje
 
Easy to reproduce: create lxc container install postfix and execute the mailq command in it:

What I found via google it is kernel related...
cu peje

here apparmor is installed on pve host not in the lxc . so we'll need to look at lxc config / setup .
 
I'm facing the same problem. After a successfull upgrade to version 4 i get this error message on all of my guests.So how do i enable "globally" that the guest are able to use postfix?
 
yes
Code:
# mailq
postqueue: warning: close: Permission denied

# dmesg
[1375647.095448] audit: type=1400 audit(1445853329.624:1543305): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=29520 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[1375647.095454] audit: type=1400 audit(1445853329.624:1543306): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=29520 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 
Any news on this? I tried to disable Apparmor (service apparmor stop) and restarted the guest - but the permission problems still persist.

How do i (temporarily) disable apparmor completly?
 
Hi, You can add this line in container config (/etc/pve/lxc/.config) to disable apparmor :
Code:
lxc.aa_profile: unconfined
It's worked for me on CentoS 7 host with systemd.
 
Is it really just an Apparmor issue? I tried the above mentioned solution to add lxc.aa_profile: unconfined. At first the error for postfix went away. But on Ubuntu based machines i get error messages when logging in via ssh as root on my VPS :

Server refused to allocate pty
stdin: is not a tty

So i would prefer creating a new profile. Did anyone tried this already and can assist in creating a new profile?
 
There are plenty of threads about apparmor problems and yet I couldn't find any "solution" or user created profiles. I'm definitely not knowledgeable enough to profile and compile my own set of profiles so I guess I'll be turning off apparmor pretty soon.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!