One aspect of AppArmor IPC mediation is a "crosscheck" that requires a sending domain to have policy to allow sending and also requires the receiver to have policy to allow receiving. If either one fails, then the operation is failed as early as possible. (I'm not entirely sure how I would expect it to show up in the logs when they aren't in the same namespace, but this feels about what I would expect.)
Perhaps the Unix Domain Socket changes in newer versions of AppArmor require changes to the policy? I have a vague memory that previous versions of AppArmor allow file rules to give access to unix domain sockets in the filesystem but newer versions of AppArmor require explicit unix rules. (Worse yet, don't know what to add to the rsyslog policy to allow this access.) -- You received this bug notification because you are a member of Debcrafters packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/2123821 Title: bad restriction: apparmor="DENIED" [...] namespace="root//lxd-n_<var- snap-lxd-common-lxd>" profile="rsyslogd" name="/run/systemd/journal/dev-log" Status in apparmor package in Ubuntu: New Status in rsyslog package in Ubuntu: Confirmed Bug description: On my Questing system running LXD containers, my kernel log is full of messages like: [ 129.551382] audit: type=1400 audit(1757925628.229:1005): apparmor="DENIED" operation="sendmsg" class="file" namespace="root//lxd-q_<var-snap-lxd-common-lxd>" profile="rsyslogd" name="/run/systemd/journal/dev-log" pid=5370 comm="systemd-journal" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000 One of my containers is named "q", hence the "root//lxd-q...". Some actual functionality is likely broken in the container. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123821/+subscriptions -- Mailing list: https://launchpad.net/~debcrafters-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~debcrafters-packages More help : https://help.launchpad.net/ListHelp
