[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Launchpad Bug Tracker]

This bug was fixed in the package libvirt - 2.5.0-3ubuntu3

---
libvirt (2.5.0-3ubuntu3) zesty; urgency=medium

  [ Christian Ehrhardt ]
  * d/p/ubuntu/Ensure-disk-names-follow-the-disk-name-regex.patch:
guarantee disk spec is following the defined regex (LP: #1665410).

  [ Bryan Quigley ]
  * d/p/ubuntu/0007-apparmor-fix-for-new-virt-manager.patch: Add Apparmor
permissions so virt-manager 1.4.0 viewing works (LP: #1668681).

 -- Christian Ehrhardt   Mon, 06 Mar
2017 08:24:06 +0100

** Changed in: libvirt (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Bryan Quigley]

Thanks Christian, the update looks good.  I have no other changes I'm
looking to make to libvirt.  (this does unblock me to look at merging
virt-manager, but still a bunch of work to do for that).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[ChristianEhrhardt]

Hi Brian, thanks for your analysis and providing a patch already.
While I agree that the rule seems a bit open I trust Jamie's expertise and he 
doesn't call out a better way to do it.

I have added it to Ubuntu's libvirt git and lined that up for a zesty
upload together with another bug that shall be fixed in zesty before
fully freezing zesty.

=> https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2536

It just started building and I'll throw a pile of tests at it before moving it 
forward to proposed.
Please let me know if you have any other plans.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Mathew Hodson]

** Changed in: libvirt (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Jamie Strandboge]

While not a rule I'm super pleased with, we'll have to trust libvirtd to
DTRT with its anonymous sockets. Thanks for the update to the debdiff.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Bryan Quigley]

** Patch removed: "libvirt_2.5.0-3ubuntu3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+attachment/4828515/+files/libvirt_2.5.0-3ubuntu3.debdiff

** Patch added: "libvirt_2.5.0-3ubuntu3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+attachment/4828589/+files/libvirt_2.5.0-3ubuntu3.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Ubuntu Foundations Team Bug Bot]

The attachment "libvirt_2.5.0-3ubuntu3.debdiff" seems to be a debdiff.
The ubuntu-sponsors team has been subscribed to the bug report so that
they can review and hopefully sponsor the debdiff.  If the attachment
isn't a patch, please remove the "patch" flag from the attachment,
remove the "patch" tag, and if you are member of the ~ubuntu-sponsors,
unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Bryan Quigley]

>unix (send, receive) type=stream addr=none
peer=(label=/usr/sbin/libvirtd),

Will revise it and upstream patch for that.

>That said, is the use of openGraphics exposed in the domain xml?
The domain xml can be (and is in all my testing) identical between virt-manager 
1.3 (working) and 1.4 (causing this issue).

Nothing says openGraphics in the xml.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Jamie Strandboge]

Please use this rule instead:

unix (send, receive) type=stream addr=none
peer=(label=/usr/sbin/libvirtd),

That said, is the use of openGraphics exposed in the domain xml?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Bryan Quigley]

Feb 28 13:53:15 desktop audit[13168]: AVC apparmor="DENIED" 
operation="file_receive" profile="libvirt-3371aa28-80bc-4268-84a5-2cefb074f5a6" 
pid=13168 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive" denied_mask="send receive" addr=none 
peer_addr=none peer="/usr/sbin/libvirtd"
Feb 28 13:53:15 desktop libvirtd[8890]: internal error: unable to execute QEMU 
command 'getfd': No file descriptor supplied via SCM_RIGHTS
Feb 28 13:53:15 desktop kernel: audit: type=1400 audit(1488307995.746:362): 
apparmor="DENIED" operation="file_receive" 
profile="libvirt-3371aa28-80bc-4268-84a5-2cefb074f5a6" pid=13168 
comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive" denied_mask="send receive" addr=none 
peer_addr=none peer="/usr/sbin/libvirtd"

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Jamie Strandboge]

This rule means that every VM can unconditionally talk to libvirtd over
any unix stream socket. What is the denial that prompted this rule?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Bryan Quigley]

** Patch added: "libvirt_2.5.0-3ubuntu3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+attachment/4828515/+files/libvirt_2.5.0-3ubuntu3.debdiff

** Patch removed: "libvirt_2.5.0-3ubuntu3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+attachment/4828512/+files/libvirt_2.5.0-3ubuntu3.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1668681] Re: New virt-manager (1.4.0) needs unix (send recieve) in apparmor

[Bryan Quigley]

** Patch added: "libvirt_2.5.0-3ubuntu3.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+attachment/4828512/+files/libvirt_2.5.0-3ubuntu3.debdiff

** Changed in: libvirt (Ubuntu)
 Assignee: (unassigned) => Bryan Quigley (bryanquigley)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1668681

Title:
  New virt-manager (1.4.0) needs unix (send recieve) in apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1668681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs