Some 'DENIED' messages in the logs


#1

Hi,

running LXD 2.18 in Ubuntu server 16.04, in the host boot log, can see messages:

Nov 07 09:44:54 chico audit[5352]: AVC apparmor="DENIED" operation="file_inherit" namespace="root//lxd-email-internal_<var-lib-lxd>" profile="/sbin/dhclient" name="/run/systemd/journal/stdout" pid=5352 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
Nov 07 09:44:54 chico audit[5352]: AVC apparmor="DENIED" operation="file_inherit" namespace="root//lxd-email-internal_<var-lib-lxd>" profile="/sbin/dhclient" name="/run/systemd/journal/stdout" pid=5352 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
Nov 07 09:48:41 chico audit[6506]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-email-internal_</var/lib/lxd>" name="/tmp/" pid=6506 comm="(dovecot)" flags="rw, remount, bind"
Nov 07 09:48:41 chico kernel: audit: type=1400 audit(1510019321.740:53): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-email-internal_</var/lib/lxd>" name="/tmp/" pid=6506 comm="(dovecot)" flags="rw, remount, bind"

inside the container, dmesg, got following:

[ 322.960943] audit: type=1400 audit(1510019321.740:53): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-email-internal_</var/lib/lxd>" name="/tmp/" pid=6506 comm="(dovecot)" flags="rw, remount, bind"

but the container still runs, just wondering why and if it will affect the operation, Thanks.

Sq


(St├ęphane Graber) #2

It's unclear exactly what dovecot was trying to do here, but that one failure may actually affect its operation.

For the dhclient one, that one is usually harmless and may just affect some logging for the systemd unit. I think it may still be worth filing a bug against apparmor and dhclient to have this particular one dealt with: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+filebug (and then add a task for the "apparmor" package once the bug is filed).


#3

is LXD container's /tmp same as /tmp in the host?


#4

The /tmp in the host is different from the /tmp in a container.