[Touch-packages] [Bug 2123821] Re: bad restriction: apparmor="DENIED" [...] namespace="root//lxd-n_" profile="rsyslogd" name="/run/systemd/journal/dev-log"

Wed, 17 Sep 2025 11:20:46 -0700 

Andreas, you are right that this is related to LP: #2121552. I'll try to
explain:

This is a unix operation, and as Seth mentioned, we crosscheck -at the same 
time- if 
1. sender is allowed to send to receiver
2. receiver is allowed to receive from sender

That's why unix rules have a peer component to them:
unix (receive) peer=(label=unconfined),

This rule is included in abstractions/base, so rsyslog is allowed to
receive unix sockets from unconfined, which is the case here. There's
another detail though: since this is a named unix socket, AppArmor also
does a filesystem check using file rules. That's the denial we are
seeing due to the bug in 2121552. Since systemd-journald (owner of the
unix socket and unconfined) is running in the container in a (apparmor)
virtualized stack, rsyslog is not being allowed delegation of the
unconfined fd by default as expected.

This will require a kernel fix for a permanent solution.
Meanwhile, 
/run/systemd/journal/dev-log r,
in rsyslog should allow it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2123821

Title:
  bad restriction: apparmor="DENIED" [...] namespace="root//lxd-n_<var-
  snap-lxd-common-lxd>" profile="rsyslogd"
  name="/run/systemd/journal/dev-log"

Status in apparmor package in Ubuntu:
  New
Status in rsyslog package in Ubuntu:
  Confirmed

Bug description:
  On my Questing system running LXD containers, my kernel log is full of
  messages like:

  [  129.551382] audit: type=1400 audit(1757925628.229:1005):
  apparmor="DENIED" operation="sendmsg" class="file"
  namespace="root//lxd-q_<var-snap-lxd-common-lxd>" profile="rsyslogd"
  name="/run/systemd/journal/dev-log" pid=5370 comm="systemd-journal"
  requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

  One of my containers is named "q", hence the "root//lxd-q...". Some
  actual functionality is likely broken in the container.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123821/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to