[Lxc-users] lxc, CIFS mounts and apparmor
TuxRaiderPen
tuxraiderpen at wpascanner.com
Sat Sep 1 16:26:26 UTC 2012
Playing with lxc "virtualization" to possibly isolate some things in their own
little/light world(s) v. standard VM via VMWare Server or Player.....
I am trying to use mount for cifs to mount to a NAS to export out some data
apparmor is blocking it... ok so allow it...
I edited...
$ cd /etc/apparmor.d/lxc/
$ more lxc-default
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
network,
capability,
file,
umount,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
mount fstype=cifs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse.*,
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
# deny writes in /proc/sys/fs but allow fusectl to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# block some other dangerous paths
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
deny @{PROC}/sys/kernel/*/** wklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
}
I added: *mount fstype=cifs,*
But apparmor is still sticking it stupid nose in my way
[ 2828.314451] type=1400 audit(1346445533.683:25): apparmor="DENIED"
operation="mount" info="failed type match" error=-13 parent=5073 profile="lxc-
container-default" name="/mnt/wxdata/" pid=5074 comm="mount.cifs"
fstype="cifs" srcname="//192.168.0.10/Share" flags="rw"
Short of turning apparmor off, which is my next step...
Any apparmor guru's know how to remove this block ? ? ?
Or is this hidden in some other file now since the container is created? ?
And I would prefer not to use fuse to do this, for my own reason(s).
Thanks.
More information about the lxc-users
mailing list