Comment # 15 on bug 1221840 from Stefano Brivio 
(In reply to Danish Prakash from comment #14)
> Thanks for the patch, even though I can invoke `pasta` without any errors,
> I'm still getting the same permission denied error on the netns:
> 
> > Couldn't open network namespace /proc/9080/ns/net: Permission denied
> 
> Adding the following rule to usr.bin.passt doesn't help either:
> 
> >   /proc/@{pid}/ns/          r,

That should be '/proc/@{pid}/ns/**', but anyway that's already covered by
abstractions/pasta:

  @{PROC}/[0-9]*/ns/net                 r,      # pasta_wait_for_ns(),
  @{PROC}/[0-9]*/ns/user                r,      # conf_pasta_ns()

...you should make sure that those rules are taken into account, though.

> On the contrary, setting the two usr.bin.pas* profiles to complain mode,
> things are back to normal so perhaps the rules are still not right?

Definitely, it's an issue with AppArmor rules. Can you tail -f
/var/log/audit/audit.log while you run 'pasta' and check what AppArmor is
denying as you do that?

You are receiving this mail because: