[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2018-03-14 Thread Launchpad Bug Tracker 
This bug was fixed in the package libvirt - 4.0.0-1ubuntu5

---
libvirt (4.0.0-1ubuntu5) bionic; urgency=medium

  * run dnsmasq as libvirt-dnsmasq (LP: #1743718)
- d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group
- d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on
  purge
- d/p/ubuntu/dnsmasq-as-priv-user: write dnsmas config with user
  libvirt-dnsmasq and adapt the self tests to expect that config
- d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users
  * Backport from recent upstream to stabilize libvirt (LP: #1754352)
- d/p/stable/0024-qemu-blockcopy-Add-check-for-bandwidth.patch
- d/p/stable/0025-conf-move-generated-member-from-virMacAddr-to-virDom.patch
- d/p/stable/0026-lxc-Drop-useless-check-in-live-device-update.patch
- d/p/stable/0027-Pass-oldDev-to-virDomainDefCompatibleDevice-on-devic.patch
- d/p/stable/0028-qemu-Fix-updating-device-with-boot-order.patch
- d/p/stable/0030-daemon-fix-rpc-event-leak-on-error-path-in-remoteDis.patch
- d/p/stable/0029-lxc-fix-rpc-event-leak-on-error-path-in-virLXCContro.patch
- d/p/stable/0031-qemu-fix-memory-leak-of-vporttype-during-migration.patch
- d/p/stable/0032-virsh-fixing-segfault-by-pool-autocompleter-function.patch
  * d/p/ubuntu-aa/0041-apparmor-add-ro-rule-for-sasl-GSSAPI-
plugin-on-etc-g.patch fix issues if sasl is configured (LP: #1696471)
  * d/p/ubuntu-aa/0042-virt-aa-helper-resolve-yet-to-be-created-paths.patch
ensure symlinks are resolved to get valid rules if interim parts of a path
are a symlink (LP: #1752361)

 -- Christian Ehrhardt   Tue, 27 Feb
2018 12:04:02 +0100

** Changed in: libvirt (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2018-03-08 Thread ChristianEhrhardt 
I pushed the commit upstream after some review, ready to be included in
Bionic with the next upload.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2018-03-08 Thread ChristianEhrhardt 
** Tags added: 4.0.0-1ubuntu5

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2018-03-07 Thread ChristianEhrhardt 
Submitted as https://www.redhat.com/archives/libvir-
list/2018-March/msg00328.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2018-03-07 Thread ChristianEhrhardt 
Rule tested, not breaking things - fixing the deny as intended.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2018-03-07 Thread ChristianEhrhardt 
Rule we need is:
  /etc/gss/mech.d/ r,

To trigger we need "libsasl2-modules-gssapi-mit" installed.
That makes qemu read the dir.

In there one only defines additional plugins to be loaded, and I can
understand that this might be needed by sasl.

I think it is safe to allow still and will submit something upstream.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2018-03-07 Thread ChristianEhrhardt 
I have seen the same recently, but for without a clear repro I can't upstream.
Also we don't know the impact of that missing yet.

Lets fix it in Bionic as ubuntu custom change for now, and if we find a
way to repro-trigger intentionally and understand the impact of the lack
I can upstream it.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2018-03-02 Thread Martin Pitt 
Sorry for the delay, I finally found some time to get back to this. This
is still reproducible on current Ubuntu 17.10:

virsh define m.xml
qemu-img create -f qcow2 /var/lib/libvirt/images/subVmTest1-2.img 128M
virsh start subVmTest1

dmesg shows:

[  319.220193] audit: type=1400 audit(1520004938.754:40):
apparmor="DENIED" operation="open" profile="libvirt-269b6725-e6fb-4242
-a83a-3ad286dd5efb" name="/etc/gss/mech.d/" pid=5930 comm="qemu-
system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

m.xml is attached. It's lightly edited to remove some external file and
device references, to be more or less self-contained (except for the
image created above; but that can be empty - it doesn't matter what's
actually running in the VM).

** Attachment added: "reproducing machine XML"
   
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+attachment/5067161/+files/m.xml

** Changed in: libvirt (Ubuntu)
   Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2018-03-02 Thread Martin Pitt 
Forgot to mention: I didn't change any libvirt config files, in
particular not the ones you mentioned:

# dpkg -s libvirt-daemon-system | grep libvirt.conf
 /etc/sasl2/libvirt.conf 09c4fa846e8e27bfa3ab3325900d63ea
# md5sum /etc/sasl2/libvirt.conf
09c4fa846e8e27bfa3ab3325900d63ea  /etc/sasl2/libvirt.conf

# dpkg -s libvirt-daemon-system | grep libvirtd.conf
 /etc/libvirt/libvirtd.conf bfacce84359f17a8bb59cb0dfe9b424f
# md5sum /etc/libvirt/libvirtd.conf
bfacce84359f17a8bb59cb0dfe9b424f  /etc/libvirt/libvirtd.conf


But note that /etc/sasl2/libvirt.conf has "mech_list: gssapi" enabled by 
default.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2017-11-05 Thread ChristianEhrhardt 
Yeah, thanks Martin, if that is the case I agree to this plan of action.

As soon as we can explain what triggers it I likely can easily bring
something upstream.

If you want to discuss potential experiments/reproducers feel free to
catch me on IRC.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2017-11-05 Thread Martin Pitt 
This still happens all the time, also in 17.10, reopening. I need to
find some time to create a reproducer that doesn't involve the Cockpit
tests.

** Changed in: libvirt (Ubuntu)
   Status: Expired => Incomplete

** Changed in: libvirt (Ubuntu Xenial)
   Status: Expired => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2017-11-05 Thread Launchpad Bug Tracker 
[Expired for libvirt (Ubuntu Xenial) because there has been no activity
for 60 days.]

** Changed in: libvirt (Ubuntu Xenial)
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2017-11-05 Thread Launchpad Bug Tracker 
[Expired for libvirt (Ubuntu) because there has been no activity for 60
days.]

** Changed in: libvirt (Ubuntu)
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/

2017-09-06 Thread ChristianEhrhardt 
Hi Martin,
I'm currently trying to clean up bugs that were missed or got no update.
First I have to beg your pardon for missing it in the first place.

I have run spice sessions without that showing up, so I checked what that 
actually is about.
In general that directory is to plug configs for the gssapi - see some libvirt 
ref at [1].

This is enabled since ages, but I haven't heard of any issues. Which either 
means it works fine or no one is actually using it.
I'd assume your setup has a SASL/GSSAPI configured more than vnc/spice to 
trigger this.
If you'd have any details on this part of your setup for better reproducibility 
of the issue, that would be great.
In general sharing a guest xml could help so I can kind of bisect through it 
if/how to trigger it.

Alternatively it seems only be used when you use the non TLS socket.
Your bug report states only default networks as modified, but maybe this 
differs from the env this pops up. Could you could check if you have any 
changes made to either
/etc/sasl2/libvirt.conf or to listen_tls in /etc/libvirt/libvirtd.conf.


[1]: https://libvirt.org/auth.html#ACL_server_kerberos

** Changed in: libvirt (Ubuntu Xenial)
   Status: New => Incomplete

** Changed in: libvirt (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696471

Title:
  AppArmor denies access to /etc/gss/mech.d/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs