Public bug reported: I'm not sure if it's a bug that belongs to Apparmor, rsyslog or even the kernel so please re-assign if needed.
Enabling rsyslog's Apparmor profile in a namespace generates this denial: [ 3026.956651] audit: type=1400 audit(1487955263.521:39): apparmor="DENIED" operation="file_mprotect" namespace="root//lxd- ganymede_<var-lib-lxd>" profile="/usr/sbin/rsyslogd" name="/usr/sbin/rsyslogd" pid=4165 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=165536 ouid=165536 This prevents rsyslog from starting in the said container: root@ganymede:~# systemctl status rsyslog ● rsyslog.service - System Logging Service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: inactive (dead) (Result: exit-code) since Fri 2017-02-24 11:54:24 EST; 30min ago Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/ Process: 232 ExecStart=/usr/sbin/rsyslogd -n (code=exited, status=127) Main PID: 232 (code=exited, status=127) Feb 24 11:54:24 ganymede systemd[1]: Failed to start System Logging Service. Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Unit entered failed state. Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Failed with result 'exit-code'. Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Service hold-off time over, scheduling restart. Feb 24 11:54:24 ganymede systemd[1]: Stopped System Logging Service. Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Start request repeated too quickly. Feb 24 11:54:24 ganymede systemd[1]: Failed to start System Logging Service. I don't know why rsyslog wants to read its own binary but it seems to really want to. Both the host and the guest are up to date Xenials. Please not that the host runs the kernel from -proposed. root@jupiter:~# apt-cache policy linux-image-4.4.0-65-generic apparmor rsyslog linux-image-4.4.0-65-generic: Installed: 4.4.0-65.86 Candidate: 4.4.0-65.86 Version table: *** 4.4.0-65.86 100 100 /var/lib/dpkg/status apparmor: Installed: 2.10.95-0ubuntu2.5 Candidate: 2.10.95-0ubuntu2.5 Version table: *** 2.10.95-0ubuntu2.5 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.10.95-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages rsyslog: Installed: 8.16.0-1ubuntu3 Candidate: 8.16.0-1ubuntu3 Version table: *** 8.16.0-1ubuntu3 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-65.86-generic 4.4.49 Uname: Linux 4.4.0-65-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Fri Feb 24 12:17:34 2017 InstallationDate: Installed on 2016-12-19 (66 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-65-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree' SourcePackage: apparmor Syslog: Feb 24 11:04:10 jupiter dbus[1812]: [system] AppArmor D-Bus mediation is enabled UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug third-party-packages xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1667751 Title: rsyslog profile doesn't work in namespace Status in apparmor package in Ubuntu: New Bug description: I'm not sure if it's a bug that belongs to Apparmor, rsyslog or even the kernel so please re-assign if needed. Enabling rsyslog's Apparmor profile in a namespace generates this denial: [ 3026.956651] audit: type=1400 audit(1487955263.521:39): apparmor="DENIED" operation="file_mprotect" namespace="root//lxd- ganymede_<var-lib-lxd>" profile="/usr/sbin/rsyslogd" name="/usr/sbin/rsyslogd" pid=4165 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=165536 ouid=165536 This prevents rsyslog from starting in the said container: root@ganymede:~# systemctl status rsyslog ● rsyslog.service - System Logging Service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: inactive (dead) (Result: exit-code) since Fri 2017-02-24 11:54:24 EST; 30min ago Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/ Process: 232 ExecStart=/usr/sbin/rsyslogd -n (code=exited, status=127) Main PID: 232 (code=exited, status=127) Feb 24 11:54:24 ganymede systemd[1]: Failed to start System Logging Service. Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Unit entered failed state. Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Failed with result 'exit-code'. Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Service hold-off time over, scheduling restart. Feb 24 11:54:24 ganymede systemd[1]: Stopped System Logging Service. Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Start request repeated too quickly. Feb 24 11:54:24 ganymede systemd[1]: Failed to start System Logging Service. I don't know why rsyslog wants to read its own binary but it seems to really want to. Both the host and the guest are up to date Xenials. Please not that the host runs the kernel from -proposed. root@jupiter:~# apt-cache policy linux-image-4.4.0-65-generic apparmor rsyslog linux-image-4.4.0-65-generic: Installed: 4.4.0-65.86 Candidate: 4.4.0-65.86 Version table: *** 4.4.0-65.86 100 100 /var/lib/dpkg/status apparmor: Installed: 2.10.95-0ubuntu2.5 Candidate: 2.10.95-0ubuntu2.5 Version table: *** 2.10.95-0ubuntu2.5 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.10.95-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages rsyslog: Installed: 8.16.0-1ubuntu3 Candidate: 8.16.0-1ubuntu3 Version table: *** 8.16.0-1ubuntu3 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-65.86-generic 4.4.49 Uname: Linux 4.4.0-65-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Fri Feb 24 12:17:34 2017 InstallationDate: Installed on 2016-12-19 (66 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-65-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree' SourcePackage: apparmor Syslog: Feb 24 11:04:10 jupiter dbus[1812]: [system] AppArmor D-Bus mediation is enabled UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1667751/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp