Some 'DENIED' messages in the logs

sqllyw · November 7, 2017, 1:55am

Hi,

running LXD 2.18 in Ubuntu server 16.04, in the host boot log, can see messages:

Nov 07 09:44:54 chico audit[5352]: AVC apparmor="DENIED" operation="file_inherit" namespace="root//lxd-email-internal_<var-lib-lxd>" profile="/sbin/dhclient" name="/run/systemd/journal/stdout" pid=5352 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
Nov 07 09:44:54 chico audit[5352]: AVC apparmor="DENIED" operation="file_inherit" namespace="root//lxd-email-internal_<var-lib-lxd>" profile="/sbin/dhclient" name="/run/systemd/journal/stdout" pid=5352 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
Nov 07 09:48:41 chico audit[6506]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-email-internal_</var/lib/lxd>" name="/tmp/" pid=6506 comm="(dovecot)" flags="rw, remount, bind"
Nov 07 09:48:41 chico kernel: audit: type=1400 audit(1510019321.740:53): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-email-internal_</var/lib/lxd>" name="/tmp/" pid=6506 comm="(dovecot)" flags="rw, remount, bind"

inside the container, dmesg, got following:

[ 322.960943] audit: type=1400 audit(1510019321.740:53): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-email-internal_</var/lib/lxd>" name="/tmp/" pid=6506 comm="(dovecot)" flags="rw, remount, bind"

but the container still runs, just wondering why and if it will affect the operation, Thanks.

Sq

stgraber · November 7, 2017, 6:10am

It’s unclear exactly what dovecot was trying to do here, but that one failure may actually affect its operation.

For the dhclient one, that one is usually harmless and may just affect some logging for the systemd unit. I think it may still be worth filing a bug against apparmor and dhclient to have this particular one dealt with: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+filebug (and then add a task for the “apparmor” package once the bug is filed).

sqllyw · November 7, 2017, 7:59am

is LXD container’s /tmp same as /tmp in the host?

simos · November 7, 2017, 12:35pm

The /tmp in the host is different from the /tmp in a container.