Hi Ivan, Ivan Sergio Borgonovo: > As you said probably apparmor seems not to be the culprit.
> Nov 04 20:21:13 kerberos audit[1280]: AVC apparmor="DENIED" operation="mount" > info="failed type match" error=-13 profile="lxc-container-default-cgns" > name="/sys/fs/cgroup/unified/" pid=1280 comm="systemd" fstype="cgroup2" > srcname="cgroup2" flags="rw, nosuid, nodev, noexec" This one looks like a bug in the LXC AppArmor profiles, please report it against the lxc package. And then I see a bunch of errors caused by the lxc-container-default-cgns profile that seem to cause trouble for dovecot, Apache and tor: > Nov 04 20:21:17 kerberos audit[1591]: AVC apparmor="DENIED" operation="mount" > info="failed flags match" error=-13 profile="lxc-container-default-cgns" > name="/" pid=1591 comm="(dovecot)" flags="rw, rslave" > Nov 04 20:21:17 kerberos audit[1598]: AVC apparmor="DENIED" operation="mount" > info="failed flags match" error=-13 profile="lxc-container-default-cgns" > name="/" pid=1598 comm="(pachectl)" flags="rw, rslave" > Nov 04 20:21:17 kerberos audit[1611]: AVC apparmor="DENIED" operation="mount" > info="failed flags match" error=-13 profile="lxc-container-default-cgns" > name="/" pid=1611 comm="(tor)" flags="rw, rslave" > Nov 04 20:21:17 kerberos kernel: audit: type=1400 audit(1541359277.987:59): > apparmor="DENIED" operation="mount" info="failed flags match" error=-13 > profile="lxc-container-default-cgns" name="/" pid=1611 comm="(tor)" > flags="rw, rslave" > Nov 04 20:24:55 kerberos kernel: audit: type=1400 audit(1541359495.750:60): > apparmor="DENIED" operation="mount" info="failed flags match" error=-13 > profile="lxc-container-default-cgns" name="/" pid=1881 comm="(tor)" > flags="rw, rslave" > Nov 04 20:24:55 kerberos kernel: audit: type=1400 audit(1541359495.750:61): > apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 > profile="lxc-container-default-cgns" name="system_tor" pid=1881 comm="(tor)" Now this gets interesting: > 96 processes are in enforce mode. > […] > /usr/bin/tor (1881) lxc-container-default-cgns > /usr/lib/dovecot/anvil (1884) lxc-container-default-cgns > /usr/lib/dovecot/log (1885) lxc-container-default-cgns … and many more processes confined under the lxc-container-default-cgns profile. Are you actually running dovecot, tor, postgres, sshd, smdb, Postfix, dhclient etc. in LXC containers? Or is the lxc-container-default-cgns profile somehow erroneously applied to these processes? Cheers, -- intrigeri
