If you check your audit logs or dmesg you will find an AppArmor DENIED
line with full details about the denied request. Once you've got those,
then it'll be easier to make concrete suggestions for changes.
Thanks
I found a couple of problems. First one being that clang++ (which I am
invoking) is a link, so I checked and finally discovered that
/usr/bin/clang++ has a link and that link another link. The final
executable invoked is /usr/lib/llvm-6.0/bin/clang, so in my profile I
have something like this in an attemp to let clang do its whole work:
/usr/lib/llvm-6.0/bin/clang ix,
/etc/lsb-release r,
/var/lib/docker/** r,
/tmp/** rw,
Now when I enter the container and invoke "/usr/bin/clang++" the
executable is invoked. I am trying to compile through the executable
some file and I still get some error. dmesg output in host system when
trying to access is:
audit: type=1400 audit(1527662185.487:873): apparmor="DENIED"
operation="open" info="Failed name lookup - disconnected path" error=-13
profile="tpi-service-apparmor-new"
name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu"
pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[521494.714287] audit: type=1400 audit(1527662185.487:874):
apparmor="DENIED" operation="open" info="Failed name lookup -
disconnected path" error=-13 profile="tpi-service-apparmor-new"
name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu"
pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[521494.716117] audit: type=1400 audit(1527662185.491:875):
apparmor="DENIED" operation="open" info="Failed name lookup -
disconnected path" error=-13 profile="tpi-service-apparmor-new"
name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu"
pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[521494.716335] audit: type=1400 audit(1527662185.491:876):
apparmor="DENIED" operation="open" info="Failed name lookup -
disconnected path" error=-13 profile="tpi-service-apparmor-new"
name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu"
pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
Not sure how to fix this. It says some access problem when accessing the
docker overlay... but I cannot give a var/lib... path, I need an
absolute path here or apparmor
will not parse the file.
Any ideas of how to suppress this problem? I think that after this
everything should be fine.
Thanks all for your time!
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
