Playing with lxc "virtualization" to possibly isolate some things in their own little/light world(s) v. standard VM via VMWare Server or Player.....
I am trying to use mount for cifs to mount to a NAS to export out some data apparmor is blocking it... ok so allow it... I edited... $ cd /etc/apparmor.d/lxc/ $ more lxc-default # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default flags=(attach_disconnected,mediate_deleted) { network, capability, file, umount, # ignore DENIED message on / remount deny mount options=(ro, remount) -> /, # allow tmpfs mounts everywhere mount fstype=tmpfs, mount fstype=cifs, # allow mqueue mounts everywhere mount fstype=mqueue, # allow fuse mounts everywhere mount fstype=fuse.*, # the container may never be allowed to mount devpts. If it does, it # will remount the host's devpts. We could allow it to do it with # the newinstance option (but, right now, we don't). deny mount fstype=devpts, # allow bind mount of /lib/init/fstab for lxcguest mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/, # deny writes in /proc/sys/fs but allow fusectl to be mounted mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, deny @{PROC}/sys/fs/** wklx, # block some other dangerous paths deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, deny @{PROC}/sys/kernel/*/** wklx, # deny writes in /sys except for /sys/fs/cgroup, also allow # fusectl, securityfs and debugfs to be mounted there (read-only) mount fstype=fusectl -> /sys/fs/fuse/connections/, mount fstype=securityfs -> /sys/kernel/security/, mount fstype=debugfs -> /sys/kernel/debug/, deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx, deny /sys/fs/c[^g]*/** wklx, deny /sys/fs/cg[^r]*/** wklx, } I added: *mount fstype=cifs,* But apparmor is still sticking it stupid nose in my way [ 2828.314451] type=1400 audit(1346445533.683:25): apparmor="DENIED" operation="mount" info="failed type match" error=-13 parent=5073 profile="lxc- container-default" name="/mnt/wxdata/" pid=5074 comm="mount.cifs" fstype="cifs" srcname="//192.168.0.10/Share" flags="rw" Short of turning apparmor off, which is my next step... Any apparmor guru's know how to remove this block ? ? ? Or is this hidden in some other file now since the container is created? ? And I would prefer not to use fuse to do this, for my own reason(s). Thanks. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users