App Armor issues

atka · Oct 28, 2017

I keep getting this message in dmesg
audit: type=1400 audit(1509206955.080:768): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=2111 comm="(ionclean)" family="unix
" sock_type="dgram" protocol=0 addr=none
It isn't causing any issues but it is filling up the log with them. Any way to stop this?

haxxa · Dec 22, 2017

I am too experiencing this issue, thousands of entries, any way to limit the output.

webalizer · Jan 31, 2018

I´m getting this too, every 30 minutes:

Code:

Jan 31 08:09:01 nucpve audit[32447]: AVC apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=32447 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
Jan 31 08:09:01 nucpve kernel: audit: type=1400 audit(1517382541.576:156): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=32447 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none

No ideas?

Regards
Tom

webalizer · Feb 1, 2018

I found the reason for this error message. I´m running PHP in a LXC-container. In this container the script 'sessionclean' fails to get permission:

Code:

Feb  1 06:39:01 mariadb systemd[1]: Starting Clean php session files...
Feb  1 06:39:01 mariadb systemd[1812]: phpsessionclean.service: Failed at step NETWORK spawning /usr/lib/php/sessionclean: Permission denied
Feb  1 06:39:01 mariadb systemd[1]: phpsessionclean.service: Main process exited, code=exited, status=225/NETWORK
Feb  1 06:39:01 mariadb systemd[1]: Failed to start Clean php session files.
Feb  1 06:39:01 mariadb systemd[1]: phpsessionclean.service: Unit entered failed state.
Feb  1 06:39:01 mariadb systemd[1]: phpsessionclean.service: Failed with result 'exit-code'.
Feb  1 06:39:01 mariadb CRON[1813]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)

For now i disabled the timer for this service.
It seems to run via cron anyways?

Where to start changing something? In apparmor-config on host or sessionclean-script in container?

haxxa · Feb 2, 2018

Here is a temporary fix but its a messy solution, surely there is a better way?

https://connaissances.fournier38.fr/entry/LXC : Problème de suppression de sessions expirées

webalizer · Feb 2, 2018

Yes that describes what i have done plus changing the cronjob.
This needs to be done on the container with php running:

A temporary fix is:

Code:

systemctl disable phpsessionclean.timer
systemctl stop phpsessionclean.timer

Then fix the cron for operation without systemd in: /etc/cron.d/php

Code:

##09,39 *     * * *     root   [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi
09,39 *     * * *     root   [ -x /usr/lib/php/sessionclean ] && /usr/lib/php/sessionclean

Taylor Murphy · May 1, 2018

I recently have begun to get these messages in my logs as well as many more, every 30 minutes on the dot:

Code:

Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 comm="(ionclean)" family="unix" sock_ty
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 comm="(ionclean)" family="unix" sock_ty
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 comm="(ionclean)" family="unix" sock_ty
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 comm="(ionclean)" family="unix" sock_ty
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=763
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/bin/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/boot/" pi
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/home/" pi
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/lib/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/lib64/" p
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/root/" pi
Apr 30 21:39:01 <domain> kernel: kauditd_printk_skb: 16 callbacks suppressed
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.080:1287): apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 com
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.080:1288): apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 com
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.080:1289): apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 com
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.080:1290): apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 com
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.082:1291): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.082:1292): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.082:1293): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.083:1294): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.083:1295): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.083:1296): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/run/user/
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/sbin/" pi
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/tmp/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/usr/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/var/tmp/"
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/bin/" pid=
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/boot/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/home/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/lib/" pid=
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/lib64/" pi
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/root/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/run/user/"
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sbin/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/usr/" pid=
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=763
Apr 30 21:39:01 <domain> systemd[1]: Started Proxmox VE replication runner.

Has a solution for these been found yet? I applied the "quick fix" mentioned earlier and hasn't stopped the messages.

wbumiller · Jul 5, 2018

Looks like https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779

Search

Search

App Armor issues

atka

Renowned Member

haxxa

Renowned Member

webalizer

Active Member

webalizer

Active Member

haxxa

Renowned Member

webalizer

Active Member

Taylor Murphy

New Member

wbumiller

Proxmox Staff Member

We value your privacy