Apparmor配置文件与Postgresql，Supervisord和Docker

我正在尝试为Docker容器设置Apparmor配置文件，Supervisord在其中管理Postgres和Cron服务。

我的Apparmor配置文件如下：

# Author: Felix Geyer <debfx@ubuntu.com>
# Source: https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.lib.postgresql.bin.postgres
#include <tunables/global>
profile docker-postgres flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/ssl_keys>
/etc/postgresql/** r,
/usr/share/postgresql/** r,
/var/lib/postgresql/** rwl,
/var/log/cron/** rwl,
/tmp/** rwl,
/supervisord.pid rwl,
/supervisord.log rwl,
/backups rwl,
/{,var/}run/postgresql/** rw,
owner @{PROC}/[0-9]*/oom_adj rw,
}

我有很多卷，因为我使根文件系统只读。因此，我的docker compose文件如下所示：

db:
restart: always
container_name: db
build: ./postgres
env_file:
- database.env
ports:
- "127.0.0.1:5432:5432"
volumes:
- ./logs/postgres:/var/lib/postgresql/data/log
- ./logs/cron:/var/log/cron
- pgdata:/var/lib/postgresql/data
- ./postgres/pg_hba.conf:/var/lib/postgresql/data/pg_hba.conf
- ./postgres/postgresql.conf:/var/lib/postgresql/data/postgresql.conf
- ./postgres/tmp:/tmp
- ./postgres/run:/run/postgresql
- ./postgres/var/run:/var/run/postgresql
- ./postgres/supervisord/supervisord.pid:/supervisord.pid
- ./postgres/supervisord/supervisord.log:/supervisord.log
- ./backups:/backups
[Some resources limitations, e.g., cpushares, mem_limit, etc...]
read_only: true
security_opt:
- apparmor=docker-postgres

postgres Dockerfile如下：

FROM postgres:alpine
LABEL version="1.7.1"
RUN apk update
RUN apk upgrade
RUN apk add --no-cache logrotate
RUN apk add --no-cache supervisor
RUN mkdir /etc/supervisor.d
COPY supervisord.conf /etc/supervisord.conf
COPY db_backup.sh /
COPY crontab.conf /
RUN chown postgres:postgres /db_backup.sh
RUN chown postgres:postgres /crontab.conf
RUN chmod 0755 /db_backup.sh
RUN chmod 0755 /crontab.conf
RUN chmod +x /db_backup.sh
RUN crontab /crontab.conf
USER postgres
RUN chmod 0700 /var/lib/postgresql/data
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

当我启动容器时，Apparmor报告称，由于权限被拒绝，名为pgdata的命名卷中的一些文件无法打开：

[  480.603052] audit: type=1400 audit(1583923769.274:96): apparmor="DENIED" operation="open" profile="docker-postgres" name="/var/lib/docker/overlay2/62c3068f214a9f5e7681eb663bfa7542c8571143e21ae8b8f4b2117e9b7db2d3/diff/usr/lib/python3.8/lib-dynload/" pid=6671 comm="supervisord" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Docker compose命令报告以下错误：

db exited with code 1
db                | Python path configuration:
db                |   PYTHONHOME = (not set)
db                |   PYTHONPATH = (not set)
db                |   program name = '/usr/bin/python3'
db                |   isolated = 0
db                |   environment = 1
db                |   user site = 1
db                |   import site = 1
db                |   sys._base_executable = '/usr/bin/python3'
db                |   sys.base_prefix = '/usr'
db                |   sys.base_exec_prefix = '/usr'
db                |   sys.executable = '/usr/bin/python3'
db                |   sys.prefix = '/usr'
db                |   sys.exec_prefix = '/usr'
db                |   sys.path = [
db                |     '/usr/lib/python38.zip',
db                |     '/usr/lib/python3.8',
db                |     '/usr/lib/python3.8/lib-dynload',
db                |   ]
db                | Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
db                | Python runtime state: core initialized
db                | ModuleNotFoundError: No module named 'encodings'
db                | 
db                | Current thread 0x00007f35c9fcdd48 (most recent call first):
db                | <no Python frame>

如果我没有弄错的话，被拒绝的操作是打开我的命名卷中名为pgdata的Python库。如何允许我的容器通过apparmor配置文件访问此目录中的文件？我试过使用主机卷，但它不起作用。

我已经尝试过以下操作：

allow /usr/lib/python[0-9.]* rwl,
allow /usr/bin/python[0-9.]* rwl,
allow /usr/lib/python[0-9.]*/** rwl,
allow /usr/bin/python[0-9.]*/** rwl

但它不起作用。。。