Since noble there are unconfined profiles which are part of the unprivileged user namespace restriction. There is a CIS Level 2 rule that requires all AppArmor profiles to be in enforce mode, which at the moment includes the unconfined profiles. There is ongoing discussion with the CIS community [1] to not include unconfined profiles in the rule, but for now that is indeed a restriction.
[1] https://workbench.cisecurity.org/benchmarks/18959/tickets/23987 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2111478 Title: docker fails to run in CIS hardened Ubuntu Server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111478/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
