[lxc-users] aa_profile = unconfined has no effect

[Christoph Mathys]

Disclaimer: I use lxc 1.0.7 on a custom built 3.12 kernel with preempt-rt patch.

I've come across some (well known) problems with dpkg-divert failing
inside the container.

$ sudo apt-get install dictionaries-common
...
Adding 'diversion of /usr/share/dict/words to
/usr/share/dict/words.pre-dictionaries-common by dictionaries-common'
dpkg: unrecoverable fatal error, aborting:
failed to fstat previous diversions file: No such file or directory
E: Sub-process /usr/bin/dpkg returned an error code (2)

dmesg on the lxc host contains the following error:
[ 1961.389983] type=1400 audit(1434694597.570:129): apparmor="DENIED"
operation="getattr" info="Failed name lookup - deleted entry" error=-2
parent=4750 profile="/usr/bin/lxc-start"
name="/var/lib/dpkg/diversions" pid=4771 comm="dpkg"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

So I tried to set "lxc.aa_profile = unconfined", but it does not have
any effect. The aa_profile is never changed from /usr/bin/lxc-start on
kernel 3.12 (aa-status shows a lot of process beeing in enfore with
/usr/bin/lxc-start, no log entry from "lxc_apparmor" during lxc-start.

3.16 works as expected, the profile is changed during the start of the
container and I also get corresponding log entries from lxc-start.

Any ideas?

My current workaround is to just disable apparmor for lxc-start.

Christoph