I straced the rsyslogd process that is running inside the container while I was triggering the events that result in the DENIED message. strace() stayed put(!).
This is the current DENIED message that shows up in the questing host (where the questing lxd is running): [Tue Sep 16 13:55:01 2025] audit: type=1400 audit(1758030901.984:1192): apparmor="DENIED" operation="sendmsg" class="file" namespace="root//lxd- q_<var-snap-lxd-common-lxd>" profile="rsyslogd" name="/run/systemd/journal/dev-log" pid=10991 comm="systemd-journal" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000 I logout and login (which is what triggers the DENIED messages), and that PID is always the same: 10991. PID 10991 is the systemd-journald daemon from the CONTAINER, but as seen from the host: 10919 ? Ss 0:00 [lxc monitor] /var/snap/lxd/common/lxd/containers q 10926 ? Ss 0:00 \_ /sbin/init 10991 ? Ss 0:00 \_ /usr/lib/systemd/systemd-journald It shows up as confined like this (from the host): lxd-q_</var/snap/lxd/common/lxd>//&:lxd-q_<var-snap-lxd-common- lxd>:unconfined (enforce) 1000000 10991 0.0 0.7 34524 14384 ? Ss 13:45 0:00 \_ /usr/lib/systemd/systemd-journald So why would the rsyslog profile be the culprit for denying systemd-journald pid 10991 from reading dev-log? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2123821 Title: bad restriction: apparmor="DENIED" [...] namespace="root//lxd-n_<var- snap-lxd-common-lxd>" profile="rsyslogd" name="/run/systemd/journal/dev-log" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123821/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
