Andreas, you are right that this is related to LP: #2121552. I'll try to explain:
This is a unix operation, and as Seth mentioned, we crosscheck -at the same time- if 1. sender is allowed to send to receiver 2. receiver is allowed to receive from sender That's why unix rules have a peer component to them: unix (receive) peer=(label=unconfined), This rule is included in abstractions/base, so rsyslog is allowed to receive unix sockets from unconfined, which is the case here. There's another detail though: since this is a named unix socket, AppArmor also does a filesystem check using file rules. That's the denial we are seeing due to the bug in 2121552. Since systemd-journald (owner of the unix socket and unconfined) is running in the container in a (apparmor) virtualized stack, rsyslog is not being allowed delegation of the unconfined fd by default as expected. This will require a kernel fix for a permanent solution. Meanwhile, /run/systemd/journal/dev-log r, in rsyslog should allow it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2123821 Title: bad restriction: apparmor="DENIED" [...] namespace="root//lxd-n_<var- snap-lxd-common-lxd>" profile="rsyslogd" name="/run/systemd/journal/dev-log" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123821/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
