[Bug 457716] Re: apparmor denies save and restore
This bug was fixed in the package libvirt - 0.8.1-2ubuntu1 --- libvirt (0.8.1-2ubuntu1) maverick; urgency=low * Merge from debian unstable. Remaining changes: - Fixes: LP: #522845 LP: #553737 LP: #520386 - debian/control: + Build-Depends on qemu-kvm, not qemu + Build-Depends on open-iscsi-utils, not open-iscsi + Build-Depends on libxml2-utils + Build-Depends on libapparmor-dev and Suggests apparmor + Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables to Depends of libvirt-bin + Drop qemu-kvm and qemu to Suggests + We call libxen-dev libxen3-dev, so change all references + Rename Vcs-* to XS-Debian-Vcs-* - debian/libvirt-bin.postinst: + rename the libvirt group to libvirtd + add each admin user to the libvirtd group + reload apparmor profiles - debian/libvirt-bin.postrm: + rename the libvirt group to libvirtd + remove apparmor symlinks on purge - debian/README.Debian: add AppArmor section based on the upstream documentation - debian/rules: + update DEB_DH_INSTALLINIT_ARGS for upstart + add DEB_MAKE_CHECK_TARGET := check + use --with-apparmor + copy apparmor and apport hook to debian/tmp - add debian/libvirt-bin.upstart - debian/libvirt-bin.dirs: add /etc/apparmor.d/abstractions, /etc/apparmor.d/disable, /etc/apparmor.d/force-complain, /etc/apparmor.d/libvirt, /etc/cron.daily and /usr/share/apport/package-hooks - add debian/libvirt-bin.cron.daily - add debian/libvirt-bin.apport - debian/libvirt-bin.install: install apparmor profiles, abstractions and apport hook - debian/apparmor: - add TEMPLATE - add libvirt-qemu abstraction - add usr.lib.libvirt.virt-aa-helper - add usr.sbin.libvirtd - debian/patches/series: + don't apply 0002-qemu-disable-network.diff.patch + don't apply 0005-Terminate-nc-on-EOF.patch. Use 9010-autodetect-nc-params.patch instead + 9000-delayed_iff_up_bridge.patch (refreshed) + 9001-dont_clobber_existing_bridges.patch + 9002-better_default_uri_virsh.patch (updated) + 9004-better-default-arch.patch + 9005-libvirtd-group-name.patch + 9006-increase-unix-socket-timeout.patch (refreshed) + 9007-default-config-test-case.patch (updated) + 9008-fix-daemon-conf-ftbfs.patch (rewritten) + 9009-run-as-root-by-default.patch (refreshed) + 9010-autodetect-nc-params.patch (refreshed, formerly 9015) + 9011-dont-disable-ipv6.patch (updated) * Dropped following packaging changes, no longer required with upgrades from Lucid: - debian/control: + versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg + remove Build-Depends on libcap-ng-dev - debian/libvirt-bin.postinst: virt-aa-helper profile migration to /usr/lib/libvirt - debian/libvirt-bin.preinst: added to force complain on certain upgrades * Dropped the following patches, included upstream: - 0010-Use-base-16-for-product-vendor.patch - 9003-increase-logoutput-timeout.patch - 9010-apparmor-ftbfs.patch - 9011-node_device_driver.patch - 9012-dont-crash-on-restart.patch - 9013-apparmor-dont-clear-caps.patch - 9014-apparmor-remove-unloaded-profile-is-not-fatal.patch - 9016-disk-cache-setting-xml.patch - 9018-fix-pty-console.patch - 9019-apparmor-fix-xauth.patch - 9020-apparmor-fix-backingstore.patch - 9021-apparmor-fix-hostdev.patch - 9022-dont-leak-log-fd.path.patch - 9023-virt-pki-validate_fixes.patch - 9024-free-memory-for-invalid-devices.patch (use 0008-Fix-leaks-in-udev-device-add-remove.patch from Debian) * debian/apparmor/usr.lib.libvirt.virt-aa-helper: allow access to ecryptfs files (LP: #591769) * debian/patches/9012-fix-nodeinfotest-ftbfs.patch: fix FTBFS in nodeinfotest. Drop in 0.8.2. * debian/patches/9013-apparmor-lp457716.patch: properly support/save and restore (LP: #457716). Drop in 0.8.2. * debian/apparmor/libvirt-qemu: remove workaround for LP: #457716 * don't create and run ebtables script in /tmp: - debian/apparmor/usr.sbin.libvirt: allow ixr to /var/lib/libvirt/virtd* for new ebtables functionality added in 0.8.0 - debian/patches/9014-move-ebtables-script.patch: update nwfilter_ebiptables_driver.c /var/lib/libvirt to use /var/lib/libvirt instead of /tmp libvirt (0.8.1-2) unstable; urgency=low * [41aea79] Drop patchsys-quilt since this package is 3.0 (quilt) now. (Closes: #577919) * [978e3c9] libvirt-bin.init: export PATH. (Closes: #584333) * [e4f0869] virt-xml-validate needs xmllint from libxml2-utils. (Closes: #584869) * [bba6d72] New patch 0008-Fix-leaks-in-udev-device-add-remove.patch: Fix leaks in udev device add/remove. (Closes: #582965) - thanks to Nigel Jones for forwarding this libvirt (0.8.1-1) unstable;
[Bug 457716] Re: apparmor denies save and restore
** Branch linked: lp:ubuntu/libvirt -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
** Also affects: libvirt (Ubuntu Maverick) Importance: High Assignee: Jamie Strandboge (jdstrand) Status: Triaged ** Changed in: libvirt (Ubuntu Maverick) Status: Triaged = In Progress ** Changed in: libvirt (Ubuntu Maverick) Milestone: later = maverick-alpha-2 -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
** Branch unlinked: lp:ubuntu/libvirt -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
Changes are too big for Lucid. This will be fixed in Maverick and upstream libvirt 0.7.8. ** Changed in: libvirt (Ubuntu Lucid) Status: In Progress = Won't Fix ** Changed in: libvirt (Ubuntu) Status: In Progress = Triaged ** Changed in: libvirt (Ubuntu) Milestone: None = later -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
Is bug #523148 related to apparmor? -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
Seems unrelated. Check kern.log for denials to be sure. -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
I'm going to unmilestone this since it mostly depends on bug #553737. If that bug is fixed, I can add my upstream work to it, otherwise this may have to wait until lucid+1. ** Changed in: libvirt (Ubuntu Lucid) Milestone: ubuntu-10.04-beta-2 = None -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
I have developed a proper fix for this for Lucid as part of the security-lucid-libvirt-apparmor-devel blueprint. As such, I added a Lucid task and marked In Progress. ** Also affects: libvirt (Ubuntu Karmic) Importance: Undecided Status: New ** Also affects: libvirt (Ubuntu Lucid) Importance: High Assignee: Jamie Strandboge (jdstrand) Status: Fix Released ** Changed in: libvirt (Ubuntu Karmic) Importance: Undecided = High ** Changed in: libvirt (Ubuntu Karmic) Status: New = Fix Released ** Changed in: libvirt (Ubuntu Karmic) Assignee: (unassigned) = Jamie Strandboge (jdstrand) ** Changed in: libvirt (Ubuntu Lucid) Status: Fix Released = In Progress ** Changed in: libvirt (Ubuntu Lucid) Milestone: ubuntu-9.10 = ubuntu-10.04-beta-2 -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
** Branch linked: lp:ubuntu/libvirt -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
** Changed in: libvirt (Fedora) Status: In Progress = Invalid -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
** Bug watch added: Red Hat Bugzilla #532654 https://bugzilla.redhat.com/show_bug.cgi?id=532654 ** Changed in: libvirt (Fedora) Status: Invalid = Unknown ** Changed in: libvirt (Fedora) Remote watch: Red Hat Bugzilla #529363 = Red Hat Bugzilla #532654 -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
In retrospect, this loss of functionality is likely important to users and it
would be best to get it in before release if possible. Subscribing
ubuntu-release. The final workaround is a simple profile adjustment:
# for save and resume
/bin/dash rmix,
/bin/dd rmix,
/bin/cat rmix,
# workaround https://launchpad.net/bugs/457716. The svirt driver does not
# relabel the state file (https://bugzilla.redhat.com/show_bug.cgi?id=529363)
# resulting in denied messages. The below works around this somewhat by
# allowing users to save state files in their home directories. We use
# 'owner' to make sure we don't overwrite the user's files. This will be
# removed when the upstream bug is fixed.
#include abstractions/private-files-strict
owner @{HOME}/ r,
owner @{HOME}/** rw,
** Changed in: libvirt (Ubuntu)
Milestone: karmic-updates = ubuntu-9.10
** Changed in: libvirt (Ubuntu)
Status: In Progress = Fix Committed
--
apparmor denies save and restore
https://bugs.launchpad.net/bugs/457716
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
This bug was fixed in the package libvirt - 0.7.0-1ubuntu13 --- libvirt (0.7.0-1ubuntu13) karmic; urgency=low * allow save/restore to work in $HOME. This is a workaround until upstream https://bugzilla.redhat.com/show_bug.cgi?id=529363 is fixed. (LP: #457716) * debian/libvirt-bin.cron.daily: don't comlain if no domain XML definitions or domain AppArmor profiles. Based on work by Loïc Minier. (LP: #457607) -- Jamie Strandboge ja...@ubuntu.com Fri, 23 Oct 2009 03:52:33 -0500 ** Changed in: libvirt (Ubuntu) Status: Fix Committed = Fix Released -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
This also affects the selinux svirt driver. According to upstream, the svirt driver needs to be modified to 'relabel' the specified state file. Until this is fixed upstream, we can temporarily work around this with documentation and profiling. ** Bug watch added: Red Hat Bugzilla #529363 https://bugzilla.redhat.com/show_bug.cgi?id=529363 ** Also affects: libvirt (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=529363 Importance: Unknown Status: Unknown -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
** Changed in: libvirt (Fedora) Status: Unknown = In Progress -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
I'll provide a workaround in an SRU after 9.10 release. ** Changed in: libvirt (Ubuntu) Status: Triaged = In Progress -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
** Attachment added: Dependencies.txt http://launchpadlibrarian.net/34120712/Dependencies.txt ** Attachment added: XsessionErrors.txt http://launchpadlibrarian.net/34120713/XsessionErrors.txt ** Changed in: libvirt (Ubuntu) Importance: Undecided = High ** Changed in: libvirt (Ubuntu) Status: New = Triaged ** Changed in: libvirt (Ubuntu) Milestone: None = karmic-updates ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- apparmor denies save and restore https://bugs.launchpad.net/bugs/457716 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
This may be better:
# for save and resume
#include abstractions/private-files-strict
/bin/dash rmix,
/bin/dd rmix,
/bin/cat rmix,
# 'owner' makes sure we don't overwrite the user's files (ie, if the file
# exists, it must be owned by 'root')
owner @{HOME}/ r,
owner @{HOME}/** rw,
owner /var/tmp/** rw,
owner /var/tmp/ rw,
owner /tmp/**rw,
owner /tmp/ rw,
--
apparmor denies save and restore
https://bugs.launchpad.net/bugs/457716
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 457716] Re: apparmor denies save and restore
Err:
# for save and resume
#include abstractions/private-files-strict
/bin/dash rmix,
/bin/dd rmix,
/bin/cat rmix,
# 'owner' makes sure we don't overwrite the user's files (ie, if the file
# exists, it must be owned by 'root')
owner @{HOME}/ r,
owner @{HOME}/** rw,
owner /var/tmp/** rw,
owner /var/tmp/ r,
owner /tmp/** rw,
owner /tmp/ r,
--
apparmor denies save and restore
https://bugs.launchpad.net/bugs/457716
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
