https://bugzilla.novell.com/show_bug.cgi?id=411752 Summary: AppArmor mediates subpaths on live cd aufs union filesystem Product: openSUSE 11.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: AppArmor AssignedTo: jjohansen@novell.com ReportedBy: jjohansen@novell.com QAContact: qa@suse.de Found By: Development The live cd mounts a read-write filesystem over a read-only filesystem, and then makes the aufs mount the new root (with pivot_root). Here is what happens (I hope I got it all right): losetup [...] mkdir /read-only mount /dev/loop1 /read-only mkdir /mnt mount -t tmpfs tmpfs /mnt mkdir /mnt/read-only mount --move /read-only /mnt/read-only mkdir /mnt/read-write mount -t tmpfs tmpfs /mnt/read-write mount -t tmpfs tmpfs /xino mount --move /dev /mnt/dev mount -t aufs -o dirs=/read-write=rw:/read-only=ro,xino=/xino/.aufs.xino \ none /mnt cd /mnt /mnt/sbin/pivot_root . mnt Now when trying to exec something, for example /bin/ping, apparmor wrongly sees the pathname as /read-only/bin/ping, and fails the exec with this audit record: type=APPARMOR_DENIED msg=audit(1216819099.475:69): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=999 name="/read-only/bin/ping" pid=6669 profile="/bin/ping" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.