[lxc-users] AppArmor denies connect operation inside container
Fajar A. Nugraha
list at fajar.net
Tue Jul 7 03:35:57 UTC 2020
On Tue, Jul 7, 2020 at 2:40 AM Joshua Schaeffer
<jschaeffer at harmonywave.com> wrote:
>
> Looking for some help with getting slapd to be able to connect to saslauthd inside an LXD container. Whenever slapd needs to connect to the socket I see the following error message in the host's kernel log:
>
> Jul 6 13:27:17 host kernel: [923413.078592] audit: type=1400 audit(1594063637.667:51106): apparmor="DENIED" operation="connect" namespace="root//lxd-container1_<var-lib-lxd>" profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=58517 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=10000111 ouid=10000000
>
> I've added the following to the container config and restarted the container, but I'm still seeing the same problem:
>
> lxcuser at host:~$ lxc config get container1 raw.apparmor
> /run/saslauthd/mux wr,
>
> I'm not super familiar with AppArmor and going through the docs now, but thought I'd ask to see if anybody can point me in the right direction.
I'm guessing you haven't test the same slapd setup on VM/baremetal
either? Try https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557157
Looks like the fix is in groovy's openldap already, with other
releases pending. Try editing /etc/apparmor.d/usr.sbin.slapd inside
the container
--
Fajar
More information about the lxc-users
mailing list