On 2018-05-30 08:44, Germán Diago Gómez wrote: > >> If you check your audit logs or dmesg you will find an AppArmor DENIED >> line with full details about the denied request. Once you've got those, >> then it'll be easier to make concrete suggestions for changes. >> >> Thanks > I found a couple of problems. First one being that clang++ (which I am > invoking) > is a link, so I checked and finally discovered that /usr/bin/clang++ has a > link > and that link another link. The final executable invoked is > /usr/lib/llvm-6.0/bin/clang, so in my profile I have something like this in an > attemp to let clang do its whole work: > > /usr/lib/llvm-6.0/bin/clang ix, > /etc/lsb-release r, > /var/lib/docker/** r, > /tmp/** rw, > > Now when I enter the container and invoke "/usr/bin/clang++" the executable is > invoked. I am trying to compile through the executable some file and I still > get > some error. dmesg output in host system when trying to access is: > > audit: type=1400 audit(1527662185.487:873): apparmor="DENIED" operation="open" > info="Failed name lookup - disconnected path" error=-13 > profile="tpi-service-apparmor-new" > name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu" > pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > [521494.714287] audit: type=1400 audit(1527662185.487:874): apparmor="DENIED" > operation="open" info="Failed name lookup - disconnected path" error=-13 > profile="tpi-service-apparmor-new" > name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu" > pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > [521494.716117] audit: type=1400 audit(1527662185.491:875): apparmor="DENIED" > operation="open" info="Failed name lookup - disconnected path" error=-13 > profile="tpi-service-apparmor-new" > name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu" > pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > [521494.716335] audit: type=1400 audit(1527662185.491:876): apparmor="DENIED" > operation="open" info="Failed name lookup - disconnected path" error=-13 > profile="tpi-service-apparmor-new" > name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu" > pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > > > Not sure how to fix this. It says some access problem when accessing the > docker > overlay... but I cannot give a var/lib... path, I need an absolute path here > or > apparmor > will not parse the file. > > Any ideas of how to suppress this problem? I think that after this everything > should be fine. > > Thanks all for your time! > > > > >
Just use flags=(attach_disconnected):
/some/app flags=(attach_disconnected) {
I have one question though. Why does the system (or just AppArmor) think that
the file is "var/lib/..." and not "/var/lib/..."? One of my apps behaves
differently depending on how the X-server is started. When I use just the
"startx" command issued via TTY, the attach_disconnected is needed. But when I
start the X-server using some DM, like for instance SDDM, the app works fine
without the flag. So why is that?
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
