Public bug reported:
$ lxc launch images:debian/sid test-dynamicusers
$ lxc exec test-dynamicusers bash
$ systemd-run --unit=testdynamic -p DynamicUser=yes --uid=xnox /bin/true
$ systemctl status testdynamic.service
# systemctl status testdynamic.service
● testdynamic.service - /bin/true
Loaded: loaded (/run/systemd/transient/testdynamic.service; transient)
Transient: yes
Active: failed (Result: exit-code) since Tue 2018-07-24 10:16:13 UTC; 6s ago
Process: 470 ExecStart=/bin/true (code=exited, status=217/USER)
Main PID: 470 (code=exited, status=217/USER)
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Forked /bin/true as
470
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed dead ->
running
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Job
testdynamic.service/start finished, result=done
Jul 24 10:16:13 systemd239 systemd[1]: Started /bin/true.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed to send unit
change signal for testdynamic.service: Connection reset by peer
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Child 470 belongs
to testdynamic.service.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Main process
exited, code=exited, status=217/USER
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed with result
'exit-code'.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed running ->
failed
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Unit entered failed
state.
and on the host side, in journal there is:
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock"
profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix"
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock"
profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix"
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock"
profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix"
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock"
profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix"
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock"
profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix"
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:934):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:935):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:936):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:937):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:938):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:939):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:940):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:941):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock"
profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix"
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock"
profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix"
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock"
profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix"
sock_type="dgram" protocol=0 addr=none
Can we somehow make DynamicUser work in lxd containers?
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Affects: lxd (Ubuntu)
Importance: Undecided
Status: New
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Also affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Also affects: lxd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783305
Title:
apparmor DENIED when a systemd unit with DynamicUsers=yes is launched
in a lxd container
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1783305/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
