[pkg-apparmor] autopkgtest fails on debci

Michael Biebl biebl at debian.org
Wed Aug 23 13:32:04 BST 2023 

Control: reassign -1 apparmor
Control: affects -1 src:systemd
Control: retitle -1 apparmor makes systemd autopkgtests fail on bookworm
Control: found -1 3.0.8-3

The plot thickens...

Am 23.08.23 um 13:20 schrieb Michael Biebl:
> On Tue, 22 Aug 2023 16:08:24 +0200 Michael Biebl <biebl at debian.org> wrote:
>> Source: systemd
>> Version: 254.1-2
>> Severity: important
>>
>>
>> Looking at https://ci.debian.net/packages/s/systemd/unstable/amd64/ ,
>> systemd has been failing on debci since about the beginning of May.
>>
>> Asking around on #debci, this might be kernel related, as the debci
>> related systems were upgraded to bookworm around that time.

> 
> Small update:
> I can reproduce the failures in a bookworm (qemu) VM, using LXC.
> Only upgrading the kernel to the one from trixie [1] is sufficient to 
> make autopkgtest pass.
> 

... so does disabling AppArmor with the bookworm kernel.

For completeness sake the failing tests are:

# autopkgtest systemd -- lxc autopkgtest-bookworm


784s hostnamed            FAIL non-zero exit status 1
784s localed-locale       FAIL non-zero exit status 1
784s localed-x11-keymap   FAIL non-zero exit status 1
784s networkd-test.py     FAIL non-zero exit status 1
784s boot-and-services    FAIL non-zero exit status 1
784s unit-tests           FAIL non-zero exit status 1


# autopkgtest systemd -- lxc autopkgtest-trixie

782s hostnamed            FAIL non-zero exit status 1
782s localed-locale       FAIL non-zero exit status 1
782s networkd-test.py     FAIL non-zero exit status 1
782s boot-and-services    FAIL non-zero exit status 1


Running e.g.
# autopkgtest --test-name=hostnamed systemd -- lxc autopkgtest-trixie

I see the following error in the journal:

Aug 23 14:23:50 debian audit[4096]: AVC apparmor="DENIED" 
operation="file_lock" 
profile="lxc-autopkgtest-lxc-iomhit_</var/lib/lxc>" pid=4096 
comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 
requested_mask="send"
Aug 23 14:23:50 debian kernel: audit: type=1400 
audit(1692793430.788:33): apparmor="DENIED" operation="file_lock" 
profile="lxc-autopkgtest-lxc-iomhit_</var/lib/lxc>" pid=4096 
comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 
requested_mask="send"
Aug 23 14:23:50 debian kernel: audit: type=1400 
audit(1692793430.788:34): apparmor="DENIED" operation="file_lock" 
profile="lxc-autopkgtest-lxc-iomhit_</var/lib/lxc>" pid=4096 
comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 
requested_mask="send"
Aug 23 14:23:50 debian audit[4096]: AVC apparmor="DENIED" 
operation="file_lock" 
profile="lxc-autopkgtest-lxc-iomhit_</var/lib/lxc>" pid=4096 
comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 
requested_mask="send"



With the 6.4 kernel, no such error happens.

So, this looks to me like an AppArmor issue, thus reassigning to the 
apparmor package.


Dear AppArmor maintainers: can you please have a look? If you need 
further information, please let me know.

Regards,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20230823/d7d83249/attachment.sig>

More information about the pkg-apparmor-team mailing list