App Armor issues

atka

Member
Sep 13, 2013
11
0
21
I keep getting this message in dmesg
audit: type=1400 audit(1509206955.080:768): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=2111 comm="(ionclean)" family="unix
" sock_type="dgram" protocol=0 addr=none
It isn't causing any issues but it is filling up the log with them. Any way to stop this?
 
I am too experiencing this issue, thousands of entries, any way to limit the output.
 
I´m getting this too, every 30 minutes:
Code:
Jan 31 08:09:01 nucpve audit[32447]: AVC apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=32447 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
Jan 31 08:09:01 nucpve kernel: audit: type=1400 audit(1517382541.576:156): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=32447 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none

No ideas?

Regards
Tom
 
I found the reason for this error message. I´m running PHP in a LXC-container. In this container the script 'sessionclean' fails to get permission:
Code:
Feb  1 06:39:01 mariadb systemd[1]: Starting Clean php session files...
Feb  1 06:39:01 mariadb systemd[1812]: phpsessionclean.service: Failed at step NETWORK spawning /usr/lib/php/sessionclean: Permission denied
Feb  1 06:39:01 mariadb systemd[1]: phpsessionclean.service: Main process exited, code=exited, status=225/NETWORK
Feb  1 06:39:01 mariadb systemd[1]: Failed to start Clean php session files.
Feb  1 06:39:01 mariadb systemd[1]: phpsessionclean.service: Unit entered failed state.
Feb  1 06:39:01 mariadb systemd[1]: phpsessionclean.service: Failed with result 'exit-code'.
Feb  1 06:39:01 mariadb CRON[1813]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)

For now i disabled the timer for this service.
It seems to run via cron anyways?

Where to start changing something? In apparmor-config on host or sessionclean-script in container?
 
Yes that describes what i have done plus changing the cronjob.
This needs to be done on the container with php running:

A temporary fix is:
Code:
systemctl disable phpsessionclean.timer
systemctl stop phpsessionclean.timer

Then fix the cron for operation without systemd in: /etc/cron.d/php
Code:
##09,39 *     * * *     root   [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi
09,39 *     * * *     root   [ -x /usr/lib/php/sessionclean ] && /usr/lib/php/sessionclean
 
I recently have begun to get these messages in my logs as well as many more, every 30 minutes on the dot:

Code:
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 comm="(ionclean)" family="unix" sock_ty
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 comm="(ionclean)" family="unix" sock_ty
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 comm="(ionclean)" family="unix" sock_ty
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 comm="(ionclean)" family="unix" sock_ty
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=763
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/bin/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/boot/" pi
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/home/" pi
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/lib/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/lib64/" p
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/root/" pi
Apr 30 21:39:01 <domain> kernel: kauditd_printk_skb: 16 callbacks suppressed
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.080:1287): apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 com
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.080:1288): apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 com
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.080:1289): apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 com
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.080:1290): apparmor="ALLOWED" operation="file_lock" profile="lxc-container-default-cgns" pid=7632 com
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.082:1291): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.082:1292): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.082:1293): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.083:1294): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.083:1295): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> kernel: audit: type=1400 audit(1525138741.083:1296): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-cont
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/run/user/
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/sbin/" pi
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/tmp/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/usr/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/var/tmp/"
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/bin/" pid=
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/boot/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/home/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/lib/" pid=
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/lib64/" pi
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/root/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/run/user/"
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sbin/" pid
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/usr/" pid=
Apr 30 21:39:01 <domain> audit[7632]: AVC apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=763
Apr 30 21:39:01 <domain> systemd[1]: Started Proxmox VE replication runner.

Has a solution for these been found yet? I applied the "quick fix" mentioned earlier and hasn't stopped the messages.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!