Bug#900611: Re[2]: [Pkg-libvirt-maintainers] Bug#900611: libvirt-daemon-system: deamon not start, problem in apparmor config
Control: fixed -1 3.10.0-1 Hi, rem_lex: > fixed by add in to file /etc/apparmor.d/usr.sbin.libvirtd at line 39 > /// > diff -au ./usr.sbin.libvirtd.old ./usr.sbin.libvirtd.new > --- ./usr.sbin.libvirtd.old 2018-03-12 20:11:00.0 +0200 > +++ ./usr.sbin.libvirtd.new 2018-06-02 01:28:10.0 +0300 > @@ -36,6 +36,7 @@ > network inet6 dgram, > network packet dgram, > network packet raw, > + network netlink raw, I've fixed this upstream with commit 3b1d19e6c9500d392b6635de92877b725d214f7f, that was first released in libvirt v3.10.0. Cheers, -- intrigeri
Bug#900611: Re[2]: [Pkg-libvirt-maintainers] Bug#900611: libvirt-daemon-system: deamon not start, problem in apparmor config
libvirtd can't start: Jun 1 23:25:22 shome libvirtd[1936]: libvirt version: 1.2.9, package: 9+deb8u4 (buildd 2017-03-29-21:11:06 binet) Jun 1 23:25:22 shome libvirtd[1936]: Unable to initialize audit layer: Отказано в доступе Jun 1 23:25:22 shome kernel: [ 29.187281] audit: type=1400 audit(1527884722.116:9): apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=1936 comm="libvirtd" family="netlink" sock_type="raw" protocol=9 requested_mask="create" denied_mask="create" Jun 1 23:25:22 shome libvirtd[1936]: cannot connect to netlink socket with protocol 0: Отказано в доступе Jun 1 23:25:22 shome kernel: [ 29.689092] audit: type=1400 audit(1527884722.795:10): apparmor="DENIED" operation="create" profile="/ usr/sbin/libvirtd" pid=1936 comm="libvirtd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create" Jun 1 23:25:23 shome systemd[1]: libvirtd.service: main process exited, code=exited, status=6/NOTCONFIGURED Jun 1 23:25:23 shome systemd[1]: Failed to start Virtualization daemon. Jun 1 23:25:23 shome systemd[1]: Unit libvirtd.service entered failed state. Jun 1 23:25:23 shome systemd[1]: Starting Suspend Active Libvirt Guests... Jun 1 23:25:23 shome systemd[1]: Started Suspend Active Libvirt Guests. Jun 1 23:25:23 shome systemd[1]: libvirtd.service holdoff time over, scheduling restart. Jun 1 23:25:23 shome systemd[1]: Stopping Virtualization daemon... fixed by add in to file /etc/apparmor.d/usr.sbin.libvirtd at line 39 /// diff -au ./usr.sbin.libvirtd.old ./usr.sbin.libvirtd.new --- ./usr.sbin.libvirtd.old 2018-03-12 20:11:00.0 +0200 +++ ./usr.sbin.libvirtd.new 2018-06-02 01:28:10.0 +0300 @@ -36,6 +36,7 @@ network inet6 dgram, network packet dgram, network packet raw, + network netlink raw, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. ///
Bug#900611: [Pkg-libvirt-maintainers] Bug#900611: libvirt-daemon-system: deamon not start, problem in apparmor config
What's the bug you're seeing? What's in the logs (journal, dmesg, syslog, libvirt's logs). Please provide proper information to reproduce. -- Guido On Sat, Jun 02, 2018 at 01:45:55AM +0300, rem_lex wrote: > Package: libvirt-daemon-system > Version: 3.0.0-4+deb9u3 > Severity: normal > > -- System Information: > Debian Release: 9.4 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.15.17-2-pve (SMP w/2 CPU cores) > Locale: LANG=ru_UA.UTF-8, LC_CTYPE=ru_UA.UTF-8 (charmap=UTF-8), > LANGUAGE=ru_UA:ru (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages libvirt-daemon-system depends on: > ii adduser3.115 > ii debconf [debconf-2.0] 1.5.61 > ii gettext-base 0.19.8.1-2 > ii init-system-helpers1.48 > ii iptables 1.6.0+snapshot20161117-6 > ii libapparmor1 2.11.0-3+deb9u2 > ii libaudit1 1:2.6.7-2 > ii libblkid1 2.29.2-1+deb9u1 > ii libc6 2.24-11+deb9u3 > ii libcap-ng0 0.7.7-3+b1 > ii libdbus-1-31.10.26-0+deb9u1 > ii libdevmapper1.02.1 2:1.02.137-pve6 > ii libnl-3-2003.2.27-2 > ii libnl-route-3-200 3.2.27-2 > ii libnuma1 2.0.11-2.1 > ii librados2 10.2.5-7.2 > ii librbd110.2.5-7.2 > ii libselinux12.6-3+b3 > ii libvirt-clients3.0.0-4+deb9u3 > ii libvirt-daemon 3.0.0-4+deb9u3 > ii libvirt0 3.0.0-4+deb9u3 > ii libxml22.9.4+dfsg1-2.2+deb9u2 > ii libyajl2 2.1.0-2+b3 > ii logrotate 3.11.0-0.1 > ii lsb-base 9.20161125 > ii policykit-10.105-18 > > Versions of packages libvirt-daemon-system recommends: > ii bridge-utils 1.5-13+deb9u1 > ii dmidecode 3.0-4 > ii dnsmasq-base 2.76-5+deb9u1 > ii ebtables 2.0.10.4-3.5+b1 > ii iproute2 4.13.0-3 > ii parted3.2-17 > > Versions of packages libvirt-daemon-system suggests: > ii apparmor2.11.0-3+deb9u2 > pn auditd > ii nfs-common 1:1.3.4-2.1 > ii pm-utils1.4.1-17 > pn radvd > ii systemd 232-25+deb9u3 > pn systemtap > pn zfsutils > > -- Configuration Files: > /etc/apparmor.d/usr.sbin.libvirtd changed: > @{LIBVIRT}="libvirt" > /usr/sbin/libvirtd flags=(attach_disconnected) { > #include > #include > capability kill, > capability net_admin, > capability net_raw, > capability setgid, > capability sys_admin, > capability sys_module, > capability sys_ptrace, > capability sys_pacct, > capability sys_nice, > capability sys_chroot, > capability setuid, > capability dac_override, > capability dac_read_search, > capability fowner, > capability chown, > capability setpcap, > capability mknod, > capability fsetid, > capability audit_write, > capability ipc_lock, > # Needed for vfio > capability sys_resource, > network inet stream, > network inet dgram, > network inet6 stream, > network inet6 dgram, > network packet dgram, > network packet raw, > network netlink raw, > # Very lenient profile for libvirtd since we want to first focus on > confining > # the guests. Guests will have a very restricted profile. > / r, > /** rwmkl, > /bin/* PUx, > /sbin/* PUx, > /usr/bin/* PUx, > /usr/sbin/virtlogd pix, > /usr/sbin/* PUx, > /{usr/,}lib/udev/scsi_id PUx, > /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, > /usr/{lib,lib64}/xen/bin/* Ux, > # force the use of virt-aa-helper > audit deny /{usr/,}sbin/apparmor_parser rwxl, > audit deny /etc/apparmor.d/libvirt/** wxl, > audit deny /sys/kernel/security/apparmor/features rwxl, > audit deny /sys/kernel/security/apparmor/matching rwxl, > audit deny /sys/kernel/security/apparmor/.* rwxl, > /sys/kernel/security/apparmor/profiles r, > /usr/{lib,lib64}/libvirt/* PUxr, > /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, > /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, > /etc/libvirt/hooks/** rmix, > /etc/xen/scripts/** rmix, > # allow changing to our UUID-based named profiles > change_profile -> > @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, > /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> > qemu_bridge_helper, > # child profile for bridge helper process > profile qemu_bridge_helper { >#include >capability setuid, >capability setgid, >capability setpcap, >capability net_admin, >network inet stream, >/dev/net/tun rw, >/etc/qemu/** r, >owner @{PROC}/*/status r, >/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, > } > > # Site-specific additions and overrides. See local/README for details. > #include > } > > /etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Отказано в доступе: > '/etc/libvirt/nwfilter/allow-arp.xml' >
Bug#900611: libvirt-daemon-system: deamon not start, problem in apparmor config
Package: libvirt-daemon-system Version: 3.0.0-4+deb9u3 Severity: normal -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.15.17-2-pve (SMP w/2 CPU cores) Locale: LANG=ru_UA.UTF-8, LC_CTYPE=ru_UA.UTF-8 (charmap=UTF-8), LANGUAGE=ru_UA:ru (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libvirt-daemon-system depends on: ii adduser3.115 ii debconf [debconf-2.0] 1.5.61 ii gettext-base 0.19.8.1-2 ii init-system-helpers1.48 ii iptables 1.6.0+snapshot20161117-6 ii libapparmor1 2.11.0-3+deb9u2 ii libaudit1 1:2.6.7-2 ii libblkid1 2.29.2-1+deb9u1 ii libc6 2.24-11+deb9u3 ii libcap-ng0 0.7.7-3+b1 ii libdbus-1-31.10.26-0+deb9u1 ii libdevmapper1.02.1 2:1.02.137-pve6 ii libnl-3-2003.2.27-2 ii libnl-route-3-200 3.2.27-2 ii libnuma1 2.0.11-2.1 ii librados2 10.2.5-7.2 ii librbd110.2.5-7.2 ii libselinux12.6-3+b3 ii libvirt-clients3.0.0-4+deb9u3 ii libvirt-daemon 3.0.0-4+deb9u3 ii libvirt0 3.0.0-4+deb9u3 ii libxml22.9.4+dfsg1-2.2+deb9u2 ii libyajl2 2.1.0-2+b3 ii logrotate 3.11.0-0.1 ii lsb-base 9.20161125 ii policykit-10.105-18 Versions of packages libvirt-daemon-system recommends: ii bridge-utils 1.5-13+deb9u1 ii dmidecode 3.0-4 ii dnsmasq-base 2.76-5+deb9u1 ii ebtables 2.0.10.4-3.5+b1 ii iproute2 4.13.0-3 ii parted3.2-17 Versions of packages libvirt-daemon-system suggests: ii apparmor2.11.0-3+deb9u2 pn auditd ii nfs-common 1:1.3.4-2.1 ii pm-utils1.4.1-17 pn radvd ii systemd 232-25+deb9u3 pn systemtap pn zfsutils -- Configuration Files: /etc/apparmor.d/usr.sbin.libvirtd changed: @{LIBVIRT}="libvirt" /usr/sbin/libvirtd flags=(attach_disconnected) { #include #include capability kill, capability net_admin, capability net_raw, capability setgid, capability sys_admin, capability sys_module, capability sys_ptrace, capability sys_pacct, capability sys_nice, capability sys_chroot, capability setuid, capability dac_override, capability dac_read_search, capability fowner, capability chown, capability setpcap, capability mknod, capability fsetid, capability audit_write, capability ipc_lock, # Needed for vfio capability sys_resource, network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, network packet dgram, network packet raw, network netlink raw, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. / r, /** rwmkl, /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, /usr/sbin/virtlogd pix, /usr/sbin/* PUx, /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, # force the use of virt-aa-helper audit deny /{usr/,}sbin/apparmor_parser rwxl, audit deny /etc/apparmor.d/libvirt/** wxl, audit deny /sys/kernel/security/apparmor/features rwxl, audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, /usr/{lib,lib64}/libvirt/* PUxr, /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, # allow changing to our UUID-based named profiles change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { #include capability setuid, capability setgid, capability setpcap, capability net_admin, network inet stream, /dev/net/tun rw, /etc/qemu/** r, owner @{PROC}/*/status r, /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } # Site-specific additions and overrides. See local/README for details. #include } /etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-arp.xml' /etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-dhcp-server.xml' /etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-dhcp.xml' /etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-incoming-ipv4.xml' /etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-ipv4.xml' /etc/libvirt/nwfilter/clean-traffic.xml [Errno