Actually, this issue is not directly related to containers but to delegations. Unconfined does object delegation of open descriptors. This is not the case for confined profiles. So when lsblk is launched from a confined process (the container), then the permission is required.
$ aa-exec -p Xorg -- sh -c lsblk Segmentation fault In the above example, the profile transitions are: unconfined -> Xorg -> lsblk, so lsblk won't work, while from a regular bash (unconfined -> lsblk), lsblk can work even without this rule. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2107455 Title: segfault of lsblk s390x in containers due to apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2107455/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
