touch-packages team mailing list archive

Thread
Date
[Bug 1446906] Re: lxc container with postfix, permission denied on mailq

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Anton Statutov <1446906@xxxxxxxxxxxxxxxxxx>
Date: Tue, 08 Dec 2015 17:16:45 -0000
Reply-to: Bug 1446906 <1446906@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I encountered this problem too on Ubuntu 15.04 running 3.19.0-39 kernel.
Fixed  it by turned off apparmor profile for LXC container by adding
"lxc.aa_profile = unconfined" into container's config. In my case
increased security risk is acceptable, but it's desirable to fix it the
right way.  Is there any information in what kernel version it will be
fixed and when this updates will be available in standartd ubuntu
repositories?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446906

Title:
  lxc container with postfix, permission denied on mailq

Status in lxc package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  on three Vivid host, all of them up-to-date, I have the problem
  described here:

  https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223

  That bug report shows the problem was fixed, but it is not (at least
  on current Vivid)

  
  ii  linux-image-generic 3.19.0.15.14   amd64          Generic Linux kernel image
  ii  lxc                 1.1.2-0ubuntu3 amd64          Linux Containers userspace tools
  ii  apparmor            2.9.1-0ubuntu9 amd64          User-space parser utility for AppArmor

  
  Reproducible with:

  $ sudo lxc-create -n test -t ubuntu
  $ sudo lxc-start -n test

  (inside container)

  $ sudo apt-get install postfix
  $ mailq
  postqueue: warning: close: Permission denied

  
  dmesg shows:
  [82140.386109] audit: type=1400 audit(1429661150.086:17067): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=27742 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  --- 
  ApportVersion: 2.17.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  zoolook    1913 F.... pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 15.04
  HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
  InstallationDate: Installed on 2015-02-27 (53 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
  MachineType: LENOVO 20150
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet splash vt.handoff=7
  ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-15-generic N/A
   linux-backports-modules-3.19.0-15-generic  N/A
   linux-firmware                             1.143
  Tags:  vivid
  Uname: Linux 3.19.0-15-generic x86_64
  UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
  UserGroups: adm docker libvirtd lpadmin sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 12/19/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 5ECN95WW(V9.00)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: INVALID
  dmi.board.vendor: LENOVO
  dmi.board.version: 31900004WIN8 STD SGL
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G580
  dmi.modalias: dmi:bvnLENOVO:bvr5ECN95WW(V9.00):bd12/19/2012:svnLENOVO:pn20150:pvrLenovoG580:rvnLENOVO:rnINVALID:rvr31900004WIN8STDSGL:cvnLENOVO:ct10:cvrLenovoG580:
  dmi.product.name: 20150
  dmi.product.version: Lenovo G580
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1446906/+subscriptions