Hi, I have podman 5.1.0 and passt 0.0+20240523.765eb0bf running on Debian bookworm (via unofficial packages). When I try to run podman using passt for networking, it is blocked by apparmor (3.0.8). audit: type=1400 audit(1717756950.285:65): apparmor="DENIED" operation="open" profile="passt" name="/run/user/1000/netns/netns-cad489f7-d3c4-7730-9d15-17ae8e172da4" pid=246135 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 I'm not familiar with apparmor so I don't know how to debug this. The installed apparmor profile files match the ones in the pasta git. Can you help? thanks, Hamish
Hi Hamish, On Fri, 7 Jun 2024 20:45:39 +1000 hamish-passt(a)moffatt.email wrote:Hi, I have podman 5.1.0 and passt 0.0+20240523.765eb0bf running on Debian bookworm (via unofficial packages). When I try to run podman using passt for networking, it is blocked by apparmor (3.0.8). audit: type=1400 audit(1717756950.285:65): apparmor="DENIED" operation="open" profile="passt" name="/run/user/1000/netns/netns-cad489f7-d3c4-7730-9d15-17ae8e172da4" pid=246135 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 I'm not familiar with apparmor so I don't know how to debug this. The installed apparmor profile files match the ones in the pasta git. Can you help?Thanks for your report. I think the issue is caused by the fact that, with the package you're using, pasta is associated with the "passt" profile, which is the profile for passt(1) mode, instead of the usr.bin.pasta profile: look at the "profile" string in the AppArmor message you shared. I fixed this in the official Debian packages here, a while ago: https://salsa.debian.org/sbrivio/passt/-/commit/5bb812e79143670a57440cd8aa7… Which unofficial packages are you using? On Debian Bookworm, I think you could simply use the official version from testing, 0.0~git20240523.765eb0b-1, see also: https://tracker.debian.org/pkg/passt -- Stefano