Hi @stgraber, thanks for your reply,
After checking the system logs, apparmor seems to be the problem.
Bookworm audit[12187]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=12187 comm="apparmor_parser"
Bookworm kernel: audit: type=1400 audit(1736328423.437:129): apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=12187 comm="apparmor_parser"
Bookworm audit[12198]: AVC apparmor="DENIED" operation="open" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" name="/etc/login.defs" pid=12198 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Bookworm audit[12198]: AVC apparmor="DENIED" operation="exec" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" name="/usr/sbin/dnsmasq" pid=12198 comm="dnsmasq" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Bookworm systemd-networkd[886]: incusbr0: Link DOWN
Bookworm kernel: audit: type=1400 audit(1736328423.441:130): apparmor="DENIED" operation="open" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" name="/etc/login.defs" pid=12198 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Bookworm kernel: audit: type=1400 audit(1736328423.441:131): apparmor="DENIED" operation="exec" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" name="/usr/sbin/dnsmasq" pid=12198 comm="dnsmasq" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Bookworm NetworkManager[988]: <info> [1736328423.5094] device (incusbr0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')
Bookworm audit[12207]: AVC apparmor="STATUS" operation="profile_remove" profile="unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=12207 comm="apparmor_parser"
Bookworm kernel: audit: type=1400 audit(1736328423.629:132): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=12207 comm="apparmor_parser"
I added an apparmor profile for Incus (Unofficial, self-created) :
profile incus_dnsmasq-incusbr0_ "/var/lib/incus/**" {
# Allow execution of dnsmasq
/usr/sbin/dnsmasq rix,
# Allow reading of login.defs
/etc/login.defs r,
# Allow access to sockets and necessary files
/var/lib/incus/** rw,
/run/** rw,
/etc/** r,
/dev/** rw,
/sys/** r,
/proc/** r,
# Allow reading of libraries and necessary binaries
/lib/** r,
/usr/lib/** r,
/usr/bin/** r,
# DNS resolution and temporary files
/etc/resolv.conf r,
/tmp/** rw,
/var/tmp/** rw,
}
Unload the previous Apparmor profile to avoid conflicts:
sudo apparmor_parser -R /etc/apparmor.d/incus
Reload the new profile:
sudo apparmor_parser -r /etc/apparmor.d/incus
Check that the profile is active and loaded:
sudo aa-status
But the error is still present
To tests furthermore, I manually unload all active AppArmor profiles:
sudo aa-teardown
And also tested Apparmor in “complain” mode to identify all violations:
sudo aa-complain /etc/apparmor.d/incus
But error not fixed
I think, some processes such as dnsmasq or incus, may specifically attempt to load AppArmor profiles even when they are disable.
In Debian 12 Bookworm, the kernel is compiled with AppArmor enabled by default as a security feature. AppArmor is integrated into the kernel.
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
For security reasons, I don’t want to completely disable AppArmor on my Linux system. Can you help me to fix my apparmor profile for Incus? Or do you have another solution?
Thanks