Hello, Am Samstag, 25. November 2017 schrieb Knurpht - Gertjan Lettink:
There are indeed "DENIED lines" re. docker and containerd in the audit.log. Can't miss the server today, but will check tomorrow and file a bug against apparmor.
I'll happily reassign it to the docker maintainer - but nevertheless, please first report it against AppArmor and assign it to me.
Will testing with apparmor disabled be useful ?
No ;-) Please use aa-complain /etc/apparmor.d/usr.sbin.docker (assuming that's the profile filename - adjust as needed, and repeat for containerd) to switch the profile to complain mode. This will allow everything and log things that wouldn't be allowed by the profile. Then use Docker as usual and check the audit.log for entries. Note that the log lines contain apparmor="ALLOWED" for profiles in complain mode. BTW: the kernels that are currently building in Kernel:HEAD include the fix for boo#1069562 Regards, Christian Boltz -- There is a limit to the value of statistics. After all, there are lies, damn lies, and statistics. [Richard Brown in opensuse-project] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org