[Bug 1221840] podman with pasta (passt) fails with apparmor
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1221840
https://bugzilla.suse.com/show_bug.cgi?id=1221840#c15
--- Comment #15 from Stefano Brivio
Thanks for the patch, even though I can invoke `pasta` without any errors, I'm still getting the same permission denied error on the netns:
Couldn't open network namespace /proc/9080/ns/net: Permission denied
Adding the following rule to usr.bin.passt doesn't help either:
/proc/@{pid}/ns/ r,
That should be '/proc/@{pid}/ns/**', but anyway that's already covered by abstractions/pasta: @{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(), @{PROC}/[0-9]*/ns/user r, # conf_pasta_ns() ...you should make sure that those rules are taken into account, though.
On the contrary, setting the two usr.bin.pas* profiles to complain mode, things are back to normal so perhaps the rules are still not right?
Definitely, it's an issue with AppArmor rules. Can you tail -f /var/log/audit/audit.log while you run 'pasta' and check what AppArmor is denying as you do that? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com