[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2017-01-10 Thread Christian Boltz
** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-21 Thread Christian Boltz
Patch commited to bzr trunk r3574. AppArmor 2.11 will include it. ** Changed in: apparmor Status: New => Fix Committed ** Changed in: apparmor Milestone: None => 2.11 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-20 Thread Christian Boltz
dnsmasq.* indeed sounds like a good idea, and shouldn't cause any harm. I've sent another patch to the mailinglist for review. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-18 Thread Stéphane Graber
Yes, so basically we have: - dnsmasq.pid (create + read/write by dnsmasq) - dnsmasq.raw (read by dnsmasq) - dnsmasq.hosts (read by dnsmasq) - dnsmasq.leases (create + read/write by dnsmasq) I'd be tempted to just go with: /var/lib/lxd/networks/*/dnsmasq.pid rw,

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-18 Thread Christian Boltz
"c" means to create a file, so you'll need write permissions. Judging on other rules in the profile, you'll also need read permissions. To sum it up: /var/lib/lxd/networks/*/dnsmasq.pid rw, Anything else after adding this? -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-18 Thread Franck
Another message: audit: type=1400 audit(1476791887.152:118): apparmor="DENIED" operation="mknod" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/dnsmasq.pid" pid=5480 comm="dnsmasq" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 -- You received this bug notification because

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-18 Thread Christian Boltz
dnsmasq.leases added in trunk r3573 (before noticing comment #5 ;-) comment #5 means you'll need to add /var/lib/lxd/networks/*/dnsmasq.hosts r, After adding this (and reloading the profile), do you see more DENIED messages? -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-18 Thread Launchpad Bug Tracker
** Branch linked: lp:apparmor -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile Status in AppArmor:

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-18 Thread Franck
I'm afraid it won't be enough...: audit: type=1400 audit(1476780672.803:99): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/dnsmasq.hosts" pid=5165 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 -- You received this bug

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-17 Thread Christian Boltz
Thanks for the feedback! I just submitted the patch for review upstream. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-17 Thread Stéphane Graber
/var/lib/lxd/networks/*/dnsmasq.leases rw, should work fine -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-17 Thread Stéphane Graber
The interface name is decided by the user in LXD 2.3 or higher, so it can be any valid interface name. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In

[Touch-packages] [Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile

2016-10-17 Thread Christian Boltz
Sounds like the path changed. You'll need to add the following rule to /etc/apparmor.d/usr.sbin.dnsmasq (or to the local/ include): /var/lib/lxd/networks/lxdbr*/dnsmasq.leases rw, BTW: Do you know if lxd supports different network interface types that don't match the lxdbr* name pattern? If