wyaeld/gist:7243037

## gistfile1.txt
14:13 $ cat /etc/apparmor.d/usr.bin.lxc-start
#include <tunables/global>

/usr/bin/lxc-start flags=(attach_disconnected) {
  #include <abstractions/lxc/start-container>
}
~/

## gistfile2.txt
So, in complain mode it works?

```
14:17 $ sudo aa-complain /usr/bin/lxc-start
Setting /usr/bin/lxc-start to complain mode.

~/dockerfiles/var-run-mount-xp
14:17 $ sudo docker build .
Uploading context 10240 bytes
Step 1 : FROM ubuntu:12.04
 ---> 8dbd9e392a96
Step 2 : VOLUME ["/var/run/foo"]
 ---> Using cache
 ---> 6f486b9c6987
Step 3 : RUN touch "/tmp/bar"
 ---> Running in f5a2a72d6eb5
 ---> 5b66824158ea
Successfully built 5b66824158ea
```

## gistfile3.txt
dmesg output from that specific command
```
[191891.928892] aufs test_add:261:docker[8462]: uid/gid/perm /var/lib/docker/graph/_tmp/_dockerinit 0/0/0711, 0/0/0755
[191891.928907] aufs test_add:261:docker[8462]: uid/gid/perm /var/lib/docker/graph/8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c/layer 0/0/0711, 0/0/0755
[191891.955217] device vethKDL76d entered promiscuous mode
[191891.955381] IPv6: ADDRCONF(NETDEV_UP): vethKDL76d: link is not ready
[191892.007685] type=1400 audit(1383182297.080:45): apparmor="ALLOWED" operation="getattr" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw" pid=9820 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[191892.007706] type=1400 audit(1383182297.080:46): apparmor="ALLOWED" operation="getattr" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw" pid=9820 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[191892.008396] type=1400 audit(1383182297.080:47): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="/run/foo/" pid=9820 comm="lxc-start" srcname="/var/lib/docker/volumes/74974768f7ac8cd0e9edeae03482248a40b912cff74bae4e1f95867edd520e4f/layer/" flags="rw, bind"
[191892.008420] type=1400 audit(1383182297.080:48): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="/run/foo/" pid=9820 comm="lxc-start" flags="rw, remount, bind"
[191892.008508] type=1400 audit(1383182297.080:49): apparmor="ALLOWED" operation="mkdir" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/dev" pid=9820 comm="lxc-start" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[191892.008572] type=1400 audit(1383182297.080:50): apparmor="ALLOWED" operation="symlink" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/dev/kmsg" pid=9820 comm="lxc-start" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[191892.008697] type=1400 audit(1383182297.080:51): apparmor="ALLOWED" operation="mkdir" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/lxc_putold" pid=9820 comm="lxc-start" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[191892.014115] type=1400 audit(1383182297.084:52): apparmor="ALLOWED" operation="open" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/lxc_putold" pid=9820 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[191892.014144] type=1400 audit(1383182297.084:53): apparmor="ALLOWED" operation="rename_src" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/lxc_putold" pid=9820 comm="lxc-start" requested_mask="rwd" denied_mask="rwd" fsuid=0 ouid=0
[191892.014153] type=1400 audit(1383182297.084:54): apparmor="ALLOWED" operation="rename_dest" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/.wh..wh.lxc_putold.114e" pid=9820 comm="lxc-start" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
[191892.014424] IPv6: ADDRCONF(NETDEV_CHANGE): vethKDL76d: link becomes ready
[191892.014485] docker0: port 1(vethKDL76d) entered forwarding state
[191892.014508] docker0: port 1(vethKDL76d) entered forwarding state
[191892.134693] docker0: port 1(vethKDL76d) entered disabled state
[191892.135151] device vethKDL76d left promiscuous mode
[191892.135154] docker0: port 1(vethKDL76d) entered disabled state
[191892.154812] userif-3: sent link down event.
[191892.154817] userif-3: sent link up event.<4>[191892.163935] aufs test_add:261:docker[8467]: uid/gid/perm /var/lib/docker/graph/_tmp/_dockerinit 0/0/0711, 0/0/0755
[191892.163950] aufs test_add:261:docker[8467]: uid/gid/perm /var/lib/docker/graph/8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c/layer 0/0/0711, 0/0/0755
[191893.151435] userif-3: sent link down event.
[191893.151440] userif-3: sent link up event.
```
	14:13 $ cat /etc/apparmor.d/usr.bin.lxc-start
	#include <tunables/global>

	/usr/bin/lxc-start flags=(attach_disconnected) {
	#include <abstractions/lxc/start-container>
	}
	~/
	So, in complain mode it works?

	```
	14:17 $ sudo aa-complain /usr/bin/lxc-start
	Setting /usr/bin/lxc-start to complain mode.

	~/dockerfiles/var-run-mount-xp
	14:17 $ sudo docker build .
	Uploading context 10240 bytes
	Step 1 : FROM ubuntu:12.04
	---> 8dbd9e392a96
	Step 2 : VOLUME ["/var/run/foo"]
	---> Using cache
	---> 6f486b9c6987
	Step 3 : RUN touch "/tmp/bar"
	---> Running in f5a2a72d6eb5
	---> 5b66824158ea
	Successfully built 5b66824158ea
	```
	dmesg output from that specific command
	```
	[191891.928892] aufs test_add:261:docker[8462]: uid/gid/perm /var/lib/docker/graph/_tmp/_dockerinit 0/0/0711, 0/0/0755
	[191891.928907] aufs test_add:261:docker[8462]: uid/gid/perm /var/lib/docker/graph/8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c/layer 0/0/0711, 0/0/0755
	[191891.955217] device vethKDL76d entered promiscuous mode
	[191891.955381] IPv6: ADDRCONF(NETDEV_UP): vethKDL76d: link is not ready
	[191892.007685] type=1400 audit(1383182297.080:45): apparmor="ALLOWED" operation="getattr" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw" pid=9820 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
	[191892.007706] type=1400 audit(1383182297.080:46): apparmor="ALLOWED" operation="getattr" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw" pid=9820 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
	[191892.008396] type=1400 audit(1383182297.080:47): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="/run/foo/" pid=9820 comm="lxc-start" srcname="/var/lib/docker/volumes/74974768f7ac8cd0e9edeae03482248a40b912cff74bae4e1f95867edd520e4f/layer/" flags="rw, bind"
	[191892.008420] type=1400 audit(1383182297.080:48): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="/run/foo/" pid=9820 comm="lxc-start" flags="rw, remount, bind"
	[191892.008508] type=1400 audit(1383182297.080:49): apparmor="ALLOWED" operation="mkdir" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/dev" pid=9820 comm="lxc-start" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
	[191892.008572] type=1400 audit(1383182297.080:50): apparmor="ALLOWED" operation="symlink" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/dev/kmsg" pid=9820 comm="lxc-start" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
	[191892.008697] type=1400 audit(1383182297.080:51): apparmor="ALLOWED" operation="mkdir" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/lxc_putold" pid=9820 comm="lxc-start" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
	[191892.014115] type=1400 audit(1383182297.084:52): apparmor="ALLOWED" operation="open" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/lxc_putold" pid=9820 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
	[191892.014144] type=1400 audit(1383182297.084:53): apparmor="ALLOWED" operation="rename_src" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/lxc_putold" pid=9820 comm="lxc-start" requested_mask="rwd" denied_mask="rwd" fsuid=0 ouid=0
	[191892.014153] type=1400 audit(1383182297.084:54): apparmor="ALLOWED" operation="rename_dest" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/.wh..wh.lxc_putold.114e" pid=9820 comm="lxc-start" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
	[191892.014424] IPv6: ADDRCONF(NETDEV_CHANGE): vethKDL76d: link becomes ready
	[191892.014485] docker0: port 1(vethKDL76d) entered forwarding state
	[191892.014508] docker0: port 1(vethKDL76d) entered forwarding state
	[191892.134693] docker0: port 1(vethKDL76d) entered disabled state
	[191892.135151] device vethKDL76d left promiscuous mode
	[191892.135154] docker0: port 1(vethKDL76d) entered disabled state
	[191892.154812] userif-3: sent link down event.
	[191892.154817] userif-3: sent link up event.<4>[191892.163935] aufs test_add:261:docker[8467]: uid/gid/perm /var/lib/docker/graph/_tmp/_dockerinit 0/0/0711, 0/0/0755
	[191892.163950] aufs test_add:261:docker[8467]: uid/gid/perm /var/lib/docker/graph/8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c/layer 0/0/0711, 0/0/0755
	[191893.151435] userif-3: sent link down event.
	[191893.151440] userif-3: sent link up event.
	```