Quoting TuxRaiderPen (tuxraider...@wpascanner.com):
> Playing with lxc "virtualization" to possibly isolate some things in their
> own
> little/light world(s) v. standard VM via VMWare Server or Player.....
>
> I am trying to use mount for cifs to mount to a NAS to export out some data
>
> apparmor is blocking it... ok so allow it...
>
> I edited...
>
>
> $ cd /etc/apparmor.d/lxc/
> $ more lxc-default
> # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
> # will source all profiles under /etc/apparmor.d/lxc
>
> profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
> network,
> capability,
> file,
> umount,
>
> # ignore DENIED message on / remount
> deny mount options=(ro, remount) -> /,
>
> # allow tmpfs mounts everywhere
> mount fstype=tmpfs,
> mount fstype=cifs,
>
> # allow mqueue mounts everywhere
> mount fstype=mqueue,
>
> # allow fuse mounts everywhere
> mount fstype=fuse.*,
>
> # the container may never be allowed to mount devpts. If it does, it
> # will remount the host's devpts. We could allow it to do it with
> # the newinstance option (but, right now, we don't).
> deny mount fstype=devpts,
>
> # allow bind mount of /lib/init/fstab for lxcguest
> mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
>
> # deny writes in /proc/sys/fs but allow fusectl to be mounted
> mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
> deny @{PROC}/sys/fs/** wklx,
>
> # block some other dangerous paths
> deny @{PROC}/sysrq-trigger rwklx,
> deny @{PROC}/mem rwklx,
> deny @{PROC}/kmem rwklx,
> deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
> deny @{PROC}/sys/kernel/*/** wklx,
>
> # deny writes in /sys except for /sys/fs/cgroup, also allow
> # fusectl, securityfs and debugfs to be mounted there (read-only)
> mount fstype=fusectl -> /sys/fs/fuse/connections/,
> mount fstype=securityfs -> /sys/kernel/security/,
> mount fstype=debugfs -> /sys/kernel/debug/,
> deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
> mount fstype=proc -> /proc/,
> mount fstype=sysfs -> /sys/,
> deny /sys/[^f]*/** wklx,
> deny /sys/f[^s]*/** wklx,
> deny /sys/fs/[^c]*/** wklx,
> deny /sys/fs/c[^g]*/** wklx,
> deny /sys/fs/cg[^r]*/** wklx,
> }
>
> I added: *mount fstype=cifs,*
>
> But apparmor is still sticking it stupid nose in my way
Just to make sure - did you reload the policy after this?
> [ 2828.314451] type=1400 audit(1346445533.683:25): apparmor="DENIED"
> operation="mount" info="failed type match" error=-13 parent=5073 profile="lxc-
> container-default" name="/mnt/wxdata/" pid=5074 comm="mount.cifs"
> fstype="cifs" srcname="//192.168.0.10/Share" flags="rw"
I haven't tried this, but it sure looks like this should be fixed with your
rule.
> Short of turning apparmor off, which is my next step...
Well it's certainly worth trying turning apparmor off (just with
lxc.aa_profile = unconfined) to make sure it's the problem. The
network filesystems are still persnickity in containers, and I'm
not even sure cifs will work at all.
> Any apparmor guru's know how to remove this block ? ? ?
>
> Or is this hidden in some other file now since the container is created? ?
>
> And I would prefer not to use fuse to do this, for my own reason(s).
>
> Thanks.
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Lxc-users mailing list
> Lxc-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
