Bug#900611: Re[2]: [Pkg-libvirt-maintainers] Bug#900611: libvirt-daemon-system: deamon not start, problem in apparmor config
Control: fixed -1 3.10.0-1 Hi, rem_lex: > fixed by add in to file /etc/apparmor.d/usr.sbin.libvirtd at line 39 > /// > diff -au ./usr.sbin.libvirtd.old ./usr.sbin.libvirtd.new > --- ./usr.sbin.libvirtd.old 2018-03-12 20:11:00.0 +0200 > +++ ./usr.sbin.libvirtd.new 2018-06-02 01:28:10.0 +0300 > @@ -36,6 +36,7 @@ > network inet6 dgram, > network packet dgram, > network packet raw, > + network netlink raw, I've fixed this upstream with commit 3b1d19e6c9500d392b6635de92877b725d214f7f, that was first released in libvirt v3.10.0. Cheers, -- intrigeri
Bug#900611: Re[2]: [Pkg-libvirt-maintainers] Bug#900611: libvirt-daemon-system: deamon not start, problem in apparmor config
libvirtd can't start: Jun 1 23:25:22 shome libvirtd[1936]: libvirt version: 1.2.9, package: 9+deb8u4 (buildd 2017-03-29-21:11:06 binet) Jun 1 23:25:22 shome libvirtd[1936]: Unable to initialize audit layer: Отказано в доступе Jun 1 23:25:22 shome kernel: [ 29.187281] audit: type=1400 audit(1527884722.116:9): apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=1936 comm="libvirtd" family="netlink" sock_type="raw" protocol=9 requested_mask="create" denied_mask="create" Jun 1 23:25:22 shome libvirtd[1936]: cannot connect to netlink socket with protocol 0: Отказано в доступе Jun 1 23:25:22 shome kernel: [ 29.689092] audit: type=1400 audit(1527884722.795:10): apparmor="DENIED" operation="create" profile="/ usr/sbin/libvirtd" pid=1936 comm="libvirtd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create" Jun 1 23:25:23 shome systemd[1]: libvirtd.service: main process exited, code=exited, status=6/NOTCONFIGURED Jun 1 23:25:23 shome systemd[1]: Failed to start Virtualization daemon. Jun 1 23:25:23 shome systemd[1]: Unit libvirtd.service entered failed state. Jun 1 23:25:23 shome systemd[1]: Starting Suspend Active Libvirt Guests... Jun 1 23:25:23 shome systemd[1]: Started Suspend Active Libvirt Guests. Jun 1 23:25:23 shome systemd[1]: libvirtd.service holdoff time over, scheduling restart. Jun 1 23:25:23 shome systemd[1]: Stopping Virtualization daemon... fixed by add in to file /etc/apparmor.d/usr.sbin.libvirtd at line 39 /// diff -au ./usr.sbin.libvirtd.old ./usr.sbin.libvirtd.new --- ./usr.sbin.libvirtd.old 2018-03-12 20:11:00.0 +0200 +++ ./usr.sbin.libvirtd.new 2018-06-02 01:28:10.0 +0300 @@ -36,6 +36,7 @@ network inet6 dgram, network packet dgram, network packet raw, + network netlink raw, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. ///
Bug#900611: [Pkg-libvirt-maintainers] Bug#900611: libvirt-daemon-system: deamon not start, problem in apparmor config
What's the bug you're seeing? What's in the logs (journal, dmesg,
syslog, libvirt's logs). Please provide proper information to reproduce.
-- Guido
On Sat, Jun 02, 2018 at 01:45:55AM +0300, rem_lex wrote:
> Package: libvirt-daemon-system
> Version: 3.0.0-4+deb9u3
> Severity: normal
>
> -- System Information:
> Debian Release: 9.4
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.15.17-2-pve (SMP w/2 CPU cores)
> Locale: LANG=ru_UA.UTF-8, LC_CTYPE=ru_UA.UTF-8 (charmap=UTF-8),
> LANGUAGE=ru_UA:ru (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages libvirt-daemon-system depends on:
> ii adduser3.115
> ii debconf [debconf-2.0] 1.5.61
> ii gettext-base 0.19.8.1-2
> ii init-system-helpers1.48
> ii iptables 1.6.0+snapshot20161117-6
> ii libapparmor1 2.11.0-3+deb9u2
> ii libaudit1 1:2.6.7-2
> ii libblkid1 2.29.2-1+deb9u1
> ii libc6 2.24-11+deb9u3
> ii libcap-ng0 0.7.7-3+b1
> ii libdbus-1-31.10.26-0+deb9u1
> ii libdevmapper1.02.1 2:1.02.137-pve6
> ii libnl-3-2003.2.27-2
> ii libnl-route-3-200 3.2.27-2
> ii libnuma1 2.0.11-2.1
> ii librados2 10.2.5-7.2
> ii librbd110.2.5-7.2
> ii libselinux12.6-3+b3
> ii libvirt-clients3.0.0-4+deb9u3
> ii libvirt-daemon 3.0.0-4+deb9u3
> ii libvirt0 3.0.0-4+deb9u3
> ii libxml22.9.4+dfsg1-2.2+deb9u2
> ii libyajl2 2.1.0-2+b3
> ii logrotate 3.11.0-0.1
> ii lsb-base 9.20161125
> ii policykit-10.105-18
>
> Versions of packages libvirt-daemon-system recommends:
> ii bridge-utils 1.5-13+deb9u1
> ii dmidecode 3.0-4
> ii dnsmasq-base 2.76-5+deb9u1
> ii ebtables 2.0.10.4-3.5+b1
> ii iproute2 4.13.0-3
> ii parted3.2-17
>
> Versions of packages libvirt-daemon-system suggests:
> ii apparmor2.11.0-3+deb9u2
> pn auditd
> ii nfs-common 1:1.3.4-2.1
> ii pm-utils1.4.1-17
> pn radvd
> ii systemd 232-25+deb9u3
> pn systemtap
> pn zfsutils
>
> -- Configuration Files:
> /etc/apparmor.d/usr.sbin.libvirtd changed:
> @{LIBVIRT}="libvirt"
> /usr/sbin/libvirtd flags=(attach_disconnected) {
> #include
> #include
> capability kill,
> capability net_admin,
> capability net_raw,
> capability setgid,
> capability sys_admin,
> capability sys_module,
> capability sys_ptrace,
> capability sys_pacct,
> capability sys_nice,
> capability sys_chroot,
> capability setuid,
> capability dac_override,
> capability dac_read_search,
> capability fowner,
> capability chown,
> capability setpcap,
> capability mknod,
> capability fsetid,
> capability audit_write,
> capability ipc_lock,
> # Needed for vfio
> capability sys_resource,
> network inet stream,
> network inet dgram,
> network inet6 stream,
> network inet6 dgram,
> network packet dgram,
> network packet raw,
> network netlink raw,
> # Very lenient profile for libvirtd since we want to first focus on
> confining
> # the guests. Guests will have a very restricted profile.
> / r,
> /** rwmkl,
> /bin/* PUx,
> /sbin/* PUx,
> /usr/bin/* PUx,
> /usr/sbin/virtlogd pix,
> /usr/sbin/* PUx,
> /{usr/,}lib/udev/scsi_id PUx,
> /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
> /usr/{lib,lib64}/xen/bin/* Ux,
> # force the use of virt-aa-helper
> audit deny /{usr/,}sbin/apparmor_parser rwxl,
> audit deny /etc/apparmor.d/libvirt/** wxl,
> audit deny /sys/kernel/security/apparmor/features rwxl,
> audit deny /sys/kernel/security/apparmor/matching rwxl,
> audit deny /sys/kernel/security/apparmor/.* rwxl,
> /sys/kernel/security/apparmor/profiles r,
> /usr/{lib,lib64}/libvirt/* PUxr,
> /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
> /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
> /etc/libvirt/hooks/** rmix,
> /etc/xen/scripts/** rmix,
> # allow changing to our UUID-based named profiles
> change_profile ->
> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
> /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx ->
> qemu_bridge_helper,
> # child profile for bridge helper process
> profile qemu_bridge_helper {
>#include
>capability setuid,
>capability setgid,
>capability setpcap,
>capability net_admin,
>network inet stream,
>/dev/net/tun rw,
>/etc/qemu/** r,
>owner @{PROC}/*/status r,
>/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
> }
>
> # Site-specific additions and overrides. See local/README for details.
> #include
> }
>
> /etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Отказано в доступе:
> '/etc/libvirt/nwfilter/allow-arp.xml'
>
Bug#900611: libvirt-daemon-system: deamon not start, problem in apparmor config
Package: libvirt-daemon-system
Version: 3.0.0-4+deb9u3
Severity: normal
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.17-2-pve (SMP w/2 CPU cores)
Locale: LANG=ru_UA.UTF-8, LC_CTYPE=ru_UA.UTF-8 (charmap=UTF-8),
LANGUAGE=ru_UA:ru (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libvirt-daemon-system depends on:
ii adduser3.115
ii debconf [debconf-2.0] 1.5.61
ii gettext-base 0.19.8.1-2
ii init-system-helpers1.48
ii iptables 1.6.0+snapshot20161117-6
ii libapparmor1 2.11.0-3+deb9u2
ii libaudit1 1:2.6.7-2
ii libblkid1 2.29.2-1+deb9u1
ii libc6 2.24-11+deb9u3
ii libcap-ng0 0.7.7-3+b1
ii libdbus-1-31.10.26-0+deb9u1
ii libdevmapper1.02.1 2:1.02.137-pve6
ii libnl-3-2003.2.27-2
ii libnl-route-3-200 3.2.27-2
ii libnuma1 2.0.11-2.1
ii librados2 10.2.5-7.2
ii librbd110.2.5-7.2
ii libselinux12.6-3+b3
ii libvirt-clients3.0.0-4+deb9u3
ii libvirt-daemon 3.0.0-4+deb9u3
ii libvirt0 3.0.0-4+deb9u3
ii libxml22.9.4+dfsg1-2.2+deb9u2
ii libyajl2 2.1.0-2+b3
ii logrotate 3.11.0-0.1
ii lsb-base 9.20161125
ii policykit-10.105-18
Versions of packages libvirt-daemon-system recommends:
ii bridge-utils 1.5-13+deb9u1
ii dmidecode 3.0-4
ii dnsmasq-base 2.76-5+deb9u1
ii ebtables 2.0.10.4-3.5+b1
ii iproute2 4.13.0-3
ii parted3.2-17
Versions of packages libvirt-daemon-system suggests:
ii apparmor2.11.0-3+deb9u2
pn auditd
ii nfs-common 1:1.3.4-2.1
ii pm-utils1.4.1-17
pn radvd
ii systemd 232-25+deb9u3
pn systemtap
pn zfsutils
-- Configuration Files:
/etc/apparmor.d/usr.sbin.libvirtd changed:
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd flags=(attach_disconnected) {
#include
#include
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_pacct,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability audit_write,
capability ipc_lock,
# Needed for vfio
capability sys_resource,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network packet dgram,
network packet raw,
network netlink raw,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/virtlogd pix,
/usr/sbin/* PUx,
/{usr/,}lib/udev/scsi_id PUx,
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
/usr/{lib,lib64}/xen/bin/* Ux,
# force the use of virt-aa-helper
audit deny /{usr/,}sbin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/{lib,lib64}/libvirt/* PUxr,
/usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile ->
@{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
#include
capability setuid,
capability setgid,
capability setpcap,
capability net_admin,
network inet stream,
/dev/net/tun rw,
/etc/qemu/** r,
owner @{PROC}/*/status r,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
# Site-specific additions and overrides. See local/README for details.
#include
}
/etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Отказано в доступе:
'/etc/libvirt/nwfilter/allow-arp.xml'
/etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Отказано в доступе:
'/etc/libvirt/nwfilter/allow-dhcp-server.xml'
/etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Отказано в доступе:
'/etc/libvirt/nwfilter/allow-dhcp.xml'
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Отказано в доступе:
'/etc/libvirt/nwfilter/allow-incoming-ipv4.xml'
/etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Отказано в доступе:
'/etc/libvirt/nwfilter/allow-ipv4.xml'
/etc/libvirt/nwfilter/clean-traffic.xml [Errno
