Hi, J. R. Okajima: > Tomas M kindly told me that it is AppArmor who blocked the file access. > And I found these lines from Christoph's very big logfile.
> [ 278.101295] audit: type=1400 audit(1571757260.203:7): apparmor="DENIED" > operation="open" profile="man_groff" name="/live/image/etc/ld.so.cache" > pid=1431 comm="preconv" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > [ 278.101481] audit: type=1400 audit(1571757260.203:8): apparmor="DENIED" > operation="open" profile="man_groff" > name="/live/image/usr/lib/x86_64-linux-gnu/libuchardet.so.0.0.6" pid=1431 > comm="preconv" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > [ 278.126956] audit: type=1400 audit(1571757260.231:9): apparmor="DENIED" > operation="open" profile="man_groff" name="/live/image/etc/ld.so.cache" > pid=1432 comm="tbl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > [ 278.127080] audit: type=1400 audit(1571757260.231:10): apparmor="DENIED" > operation="open" profile="man_groff" > name="/live/image/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25" pid=1432 > comm="tbl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > [ 278.289710] audit: type=1400 audit(1571757260.391:11): apparmor="DENIED" > operation="open" profile="man_groff" name="/live/image/etc/ld.so.cache" > pid=1441 comm="troff" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > [ 278.347156] audit: type=1400 audit(1571757260.451:12): apparmor="DENIED" > operation="open" profile="man_groff" > name="/live/image/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25" pid=1441 > comm="troff" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > These msgs looks matching the strace logfile, and expains the problem. > But I don't know why AppArmor denied the access. > Does your AppArmor setting allow reading "/etc/ld.so.cache" and > "/usr/lib/x86_64-linux-gnu/*.so*", but deny for "/live/image/..."? Using AppArmor with aufs (or overlayfs by the way) is a bit tricky; it generally requires adjusting the system's AppArmor policy a bit. That's why, for example, the Debian Live images disable AppArmor by default (see ConditionPathExists=!... in apparmor.service). In case it may be useful to you, we made aufs+AppArmor work in Tails: see the "Hacks to support the Live system usecase" and "Using alias rules to avoid modifying profiles" sections in https://tails.boum.org/contribute/design/application_isolation/ Cheers, -- intrigeri
