FYI, http://bazaar.launchpad.net/~apparmor- dev/apparmor/master/revision/3658 fixes the /run/systemd/journal/stdout denials. It seems like the real cause of this bug is this denial:
[95224.610046] audit: type=1400 audit(1484230178.466:1014): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-xen_<var- lib-lxd>" profile="/usr/sbin/cups-browsed" name="/usr/sbin/cups-browsed" pid=17765 comm="cups-browsed" requested_mask="rm" denied_mask="rm" fsuid=100000 ouid=100000 Suspecting this had something to do with the flock and mmap mediation fixes, I tried the reproducer with an updated 16.04 kernel (4.4.0-77.98-generic). This fixes the file_mmap denial, but we still have a file_mprotect 'r' denial: [ 825.339262] audit: type=1400 audit(1493908654.440:86): apparmor="DENIED" operation="file_mprotect" namespace="root//lxd-xen_ <var-lib-lxd>" profile="/usr/sbin/cups-browsed" name="/usr/sbin/cups- browsed" pid=14249 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=165536 ouid=165536 I'm not sure if this indicates a bug in the apparmor policy or apparmor itself. If the policy, adjusting /etc/apparmor.d/usr.sbin.cups-browsed to have: /usr/sbin/cups-browsed r, resolves the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655982 Title: cups-browsed fails to start in containers after apparmor stacking backport to xenial To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1655982/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
