[apparmor] Bug#847370: Recent apparmor broke "virsh lxc-enter"
Guido Günther
agx at sigxcpu.org
Mon Dec 19 22:20:42 UTC 2016
On Mon, Dec 19, 2016 at 12:35:51PM -0800, Seth Arnold wrote:
> On Mon, Dec 19, 2016 at 12:17:55PM +0100, intrigeri wrote:
> > Guido Günther:
> > >> Well, info="Failed name lookup - disconnected path" does ring a bell.
> > >> It might be that the libvirtd profile needs the attach_disconnected
> > >> flag (there are plenty of examples that do in my /etc/apparmor.d).
>
> I don't know much about libvirt's containers support but the error
> messages from the bug:
>
> …
> + virsh lxc-enter-namespace --noseclabel sl /bin/ls /bin/ls
> libvirt: error : Expected at least one file descriptor
> error: internal error: Child process (2714) unexpected exit status 125
> …
>
> give me the impression that the error happens very early and very quickly.
> The name="" from the audit logs gives me the impression that the profilesd
> container was trying to find /. This doesn't feel like a recent change to
> me.
>
> Are we sure that libvirt's containers support has had working AppArmor
> support before?
Yes. At least since 1.3.5.
-- Guido
More information about the AppArmor
mailing list