Bug#918842: [pkg-lxc-devel] Bug#918842: AppArmor profile lxc-containers not loaded on installation, leading to operation="change_profile" info="label not found"

[Pierre-Elliott Bécue]

Le 09/01/2019 à 21:51, Bernhard Schmidt a écrit :
> Package: lxc
> Version: 1:3.1.0-1
> Severity: important
> 
> Hi,
> 
> I freshly installed lxc on my testing box and could not run a container with 
> weird error messages
> 
> root@BOTOX:/etc/apparmor.d# lxc-start autopkgtest-unstable-amd64 -F
> lxc-start: autopkgtest-unstable-amd64: lsm/lsm.c: lsm_process_label_set_at: 
> 174 No such file or directory - Failed to set AppArmor label 
> "lxc-container-default-cgns"
> lxc-start: autopkgtest-unstable-amd64: lsm/apparmor.c: 
> apparmor_process_label_set: 1102 Failed to change AppArmor profile to 
> lxc-container-default-cgns
> lxc-start: autopkgtest-unstable-amd64: sync.c: __sync_wait: 62 An error 
> occurred in another process (expected sequence number 5)
> lxc-start: autopkgtest-unstable-amd64: start.c: __lxc_start: 1972 Failed to 
> spawn container "autopkgtest-unstable-amd64"
> lxc-start: autopkgtest-unstable-amd64: tools/lxc_start.c: main: 330 The 
> container failed to start
> lxc-start: autopkgtest-unstable-amd64: tools/lxc_start.c: main: 336 
> Additional information can be obtained by setting the --logfile and 
> --logpriority options
> 
> This is caused by this AppArmor DENIED
> 
> Jan 09 21:44:50 BOTOX audit[15070]: AVC apparmor="DENIED" 
> operation="change_profile" info="label not found" error=-2 
> profile="unconfined" name="lxc-container-default-cgns" pid=15070 
> comm="lxc-start"
> Jan 09 21:44:50 BOTOX kernel: audit: type=1400 audit(1547066690.033:61): 
> apparmor="DENIED" operation="change_profile" info="label not found" error=-2 
> profile="unconfined" name="lxc-container-default-cgns" pid=15070 
> comm="lxc-start"
> 
> After running
> 
> apparmor_parser to load the lxc-configuration profile it works
> 
> root@BOTOX:/etc/apparmor.d# apparmor_parser -r -W -T 
> /etc/apparmor.d/lxc-containers
> root@BOTOX:/etc/apparmor.d# lxc-start autopkgtest-unstable-amd64 -F           
>      
> systemd 240 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR 
> +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP 
> +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
> Detected virtualization lxc.
> Detected architecture x86-64.
> 
> I assume a reboot would have helped as well, possibly this just needs to be 
> added to postinst?

Thanks for your report. I'll try to include this change in the next
release of lxc, quite soon!

My bad for missing this, I admit I didn't meet the issue, probably
because my configuration is more relaxed than yours?

Cheers. :)

-- 
PEB