0

I am trying to run firewall (Zentyal) on Ubuntu 16.04 inside an LXD container on top of host Arch linux. It requires some AppArmor functionality to do its thing (mainly, DHCP), so I installed AppArmor-enabled kernel on the host and set up the LXD config according to every pointed I found in the internet that related to AppArmor, so it no looks like so:

name: router
profiles:
- default
config:
  raw.lxc: lxc.aa_profile= unconfined
  security.nesting: "true"
  security.privileged: "true"
  volatile.base_image:       9c774bed40a5a8a34c2c96c1a93f4d46b0f59cda96defc07bc2c29cf473beb22
      volatile.eth0.name: eth0
      volatile.eth1.name: eth1
      volatile.last_state.idmap: '[]'
      volatile.last_state.power: RUNNING
devices:
  eth0:
    nictype: physical
    parent: enp2s0
    type: nic
  eth1:
    nictype: bridged
    parent: br0
    type: nic
  root:
    path: /
    type: disk
ephemeral: false

However, I am still getting those errors in Zentyal logs:

    2016/12/22 22:56:48 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named failed. 
    2016/12/22 22:59:43 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.dhcpd failed. 
    2016/12/22 22:59:43 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.dhcpd failed. 
    2016/12/22 22:59:43 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.dhcpd failed. 
    2016/12/22 22:59:44 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named failed. 
    2016/12/22 22:59:44 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named failed. 
    2016/12/22 22:59:44 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named failed.

And when I try to run one of those commands to get more direct error, I get this:

/sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.dhcpd
/sbin/apparmor_parser: Unable to replace "/usr/sbin/dhcpd".  Permission denied; attempted to load a profile while confined?

Is there something more that can be done here, or is it just not doable?

lockheed
  • 101

1 Answers1

1

aa-complain appname will turn off restrictions but still complain and write to logs.

Install

sudo apt-get install apparmor-utils

sudo aa-logprof will look through logs and ask you if you want to enable certain permissions for all available profiles.

sudo aa-cleanprof appname or /pathto/app will wipe the existing profile

sudo aa-genprof appname or /pathto/app will generate a new profile and scan logs for required changes.

sudo aa-autodep appname or /pathto/app will attempt to create a profile and all dependancies for an app.

You can set aa-complain appname then run through the steps that you want to do with the application. Turn it on, shut it down, restart it, reload it, open files etc. Then run aa-logprof to make apparmor look for changes that you can approve or deny.

If that does not work aa-cleanprof appname then aa-autodep appname would be the quickest way to a new profile. If you get a complaint about an existing profile being present, go to /etc/apparmor.d/ and mv it to profilename_OLD.

m_krsic
  • 559