dnsmasq profile incomplete for lxc usage
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
[impact]
This bug prevents the proper functioning of dnsmasq under lxc
[steps to reproduce]
1) install lxc
2) start container, do dns lookups within it
3) with the fix applied, dnsmasq in the host os should not generate
apparmor rejections in syslog
[regression potential]
The change in the patch for this bug is a slight loosening of the
apparmor policy for dnsmasq. The risk of an introduced regression
is small.
[original description]
Hi,
I am using the dnsmasq profile with lxc, and I am getting DENIED messages like:
Dec 16 22:26:58 superstar kernel: [226445.568383] type=1400 audit(141876881
Adding rw for that path obviously makes it go away, and seems like a reasonable change.
Thanks,
James
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor-profiles 2.8.95~
ProcVersionSign
Uname: Linux 3.13.0-43-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Dec 17 11:27:18 2014
PackageArchitec
ProcKernelCmdline: BOOT_IMAGE=
SourcePackage: apparmor
Syslog:
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
mtime.conffile.
mtime.conffile.
tags: | added: aa-policy |
Changed in apparmor: | |
milestone: | none → 2.9.2 |
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
Once you get past that error, the dnsmasq process spawned by lxc-net will need to write its PID to /run/lxc/ dnsmasq. pid so this also needs to be added to the policy.