debcrafters-packages team mailing list archive

Thread
Date

[Bug 2123821] Re: bad restriction: apparmor="DENIED" [...] namespace="root//lxd-n_<var-snap-lxd-common-lxd>" profile="rsyslogd" name="/run/systemd/journal/dev-log"

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Andreas Hasenack <2123821@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Sep 2025 13:56:46 -0000
Reply-to: Bug 2123821 <2123821@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I straced the rsyslogd process that is running inside the container
while I was triggering the events that result in the DENIED message.
strace() stayed put(!).

This is the current DENIED message that shows up in the questing host
(where the questing lxd is running):

[Tue Sep 16 13:55:01 2025] audit: type=1400 audit(1758030901.984:1192):
apparmor="DENIED" operation="sendmsg" class="file" namespace="root//lxd-
q_<var-snap-lxd-common-lxd>" profile="rsyslogd"
name="/run/systemd/journal/dev-log" pid=10991 comm="systemd-journal"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

I logout and login (which is what triggers the DENIED messages), and
that PID is always the same: 10991.

PID 10991 is the systemd-journald daemon from the CONTAINER, but as seen
from the host:

  10919 ?        Ss     0:00 [lxc monitor] /var/snap/lxd/common/lxd/containers q
  10926 ?        Ss     0:00  \_ /sbin/init
  10991 ?        Ss     0:00      \_ /usr/lib/systemd/systemd-journald


It shows up as confined like this (from the host):

lxd-q_</var/snap/lxd/common/lxd>//&:lxd-q_<var-snap-lxd-common-
lxd>:unconfined (enforce) 1000000 10991 0.0  0.7 34524 14384 ? Ss 13:45
0:00      \_ /usr/lib/systemd/systemd-journald


So why would the rsyslog profile be the culprit for denying systemd-journald pid 10991 from reading dev-log?

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2123821

Title:
  bad restriction: apparmor="DENIED" [...] namespace="root//lxd-n_<var-
  snap-lxd-common-lxd>" profile="rsyslogd"
  name="/run/systemd/journal/dev-log"

Status in apparmor package in Ubuntu:
  Invalid
Status in rsyslog package in Ubuntu:
  Confirmed

Bug description:
  On my Questing system running LXD containers, my kernel log is full of
  messages like:

  [  129.551382] audit: type=1400 audit(1757925628.229:1005):
  apparmor="DENIED" operation="sendmsg" class="file"
  namespace="root//lxd-q_<var-snap-lxd-common-lxd>" profile="rsyslogd"
  name="/run/systemd/journal/dev-log" pid=5370 comm="systemd-journal"
  requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

  One of my containers is named "q", hence the "root//lxd-q...". Some
  actual functionality is likely broken in the container.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123821/+subscriptions