Package: lxc Version: 1:1.0.6-6 Severity: important Dear Maintainer,
lxc-start does not seem to switch lxc containers to the default profile. aa-status reports lxc-start keeping the 'lxc-start' profile after the container has launched. I installed packages lxc, apparmor, apparmor-utils, apparmor-profiles* on jessie, fully patched. AppArmor works fine for libvirt (qemu/kvm machine profiles) and all others. I created: lxc-create -n myvm -t debian -- -r jessie executed: lxc-start -n myvm However, when I run aa-status, the output is: apparmor module is loaded. 68 profiles are loaded. 31 profiles are in enforce mode. [...] /usr/bin/lxc-start [...] lxc-container-default lxc-container-default-with-mounting lxc-container-default-with-nesting 37 profiles are in complain mode. [...] 18 processes have profiles defined. 14 processes are in enforce mode. /usr/bin/lxc-start (2596) /usr/bin/lxc-start (2598) /usr/bin/lxc-start (2620) /usr/bin/lxc-start (2687) /usr/bin/lxc-start (2693) /usr/bin/lxc-start (2694) /usr/bin/lxc-start (2695) /usr/bin/lxc-start (2696) /usr/bin/lxc-start (2697) /usr/bin/lxc-start (3572) /usr/bin/lxc-start (3573) /usr/sbin/cups-browsed (1214) /usr/sbin/cupsd (1210) /usr/sbin/libvirtd (1166) 4 processes are in complain mode. [...] 0 processes are unconfined but have a profile defined. It shows lxc-container-default as not loaded. Setting lxc.aa_profile = unconfined|lxc-container-default|lxc-default in /var/lib/lxc/myvm/config all produce the same result. I compared this to a Ubuntu installation with roughly the same steps. Its output is: 21 processes are in enforce mode. /sbin/dhclient (897) /usr/bin/lxc-start (2348) /usr/sbin/cups-browsed (583) /usr/sbin/cupsd (546) lxc-container-default (2356) lxc-container-default (2547) lxc-container-default (2569) lxc-container-default (2665) lxc-container-default (2679) lxc-container-default (2680) lxc-container-default (2686) lxc-container-default (2728) lxc-container-default (2733) lxc-container-default (2752) lxc-container-default (2754) lxc-container-default (2755) lxc-container-default (2764) lxc-container-default (2784) lxc-container-default (2795) lxc-container-default (2796) lxc-container-default (2799) 2 processes are in complain mode. That is what I would expect. So going by aa-status it appears LXC isn't switching to the container profile in Jessie. Unless I'm missing a package this would be a security issue. Couldn't find a specific in the logs but it's not my forte. Thank you -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lxc depends on: ii init-system-helpers 1.22 ii libapparmor1 2.9.0-3 ii libc6 2.19-18 ii libcap2 1:2.24-8 ii libseccomp2 2.1.1-1 ii libselinux1 2.3-2 ii multiarch-support 2.19-18 ii python3 3.4.2-2 Versions of packages lxc recommends: ii debootstrap 1.0.67 ii openssl 1.0.1k-3+deb8u1 ii rsync 3.1.1-3 Versions of packages lxc suggests: pn lua5.2 <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
