Playing with lxc "virtualization" to possibly isolate some things in their own 
little/light world(s) v. standard VM via VMWare Server or Player.....

I am trying to use mount for cifs to mount to a NAS to export out some data

apparmor is blocking it... ok so allow it...

I edited...


$ cd /etc/apparmor.d/lxc/
$ more lxc-default
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
  
profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
  network,
  capability,
  file,
  umount,
  
  # ignore DENIED message on / remount
  deny mount options=(ro, remount) -> /,
  
  # allow tmpfs mounts everywhere
  mount fstype=tmpfs,
  mount fstype=cifs,
  
  # allow mqueue mounts everywhere
  mount fstype=mqueue,
  
  # allow fuse mounts everywhere
  mount fstype=fuse.*,
  
  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  
  # allow bind mount of /lib/init/fstab for lxcguest
  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
  
  # deny writes in /proc/sys/fs but allow fusectl to be mounted
  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  deny @{PROC}/sys/fs/** wklx,
  
  # block some other dangerous paths
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
  deny @{PROC}/sys/kernel/*/** wklx,
  
  # deny writes in /sys except for /sys/fs/cgroup, also allow
  # fusectl, securityfs and debugfs to be mounted there (read-only)
  mount fstype=fusectl -> /sys/fs/fuse/connections/,
  mount fstype=securityfs -> /sys/kernel/security/,
  mount fstype=debugfs -> /sys/kernel/debug/,
  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
  mount fstype=proc -> /proc/,
  mount fstype=sysfs -> /sys/,
  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
}

I added: *mount fstype=cifs,*

But apparmor is still sticking it stupid nose in my way

[ 2828.314451] type=1400 audit(1346445533.683:25): apparmor="DENIED" 
operation="mount" info="failed type match" error=-13 parent=5073 profile="lxc-
container-default" name="/mnt/wxdata/" pid=5074 comm="mount.cifs" 
fstype="cifs" srcname="//192.168.0.10/Share" flags="rw"

Short of turning apparmor off, which is my next step...

Any apparmor guru's know how to remove this block ? ? ?

Or is this hidden in some other file now since the container is created? ?

And I would prefer not to use fuse to do this, for my own reason(s).

Thanks.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to