[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
This bug was fixed in the package libvirt - 4.0.0-1ubuntu5 --- libvirt (4.0.0-1ubuntu5) bionic; urgency=medium * run dnsmasq as libvirt-dnsmasq (LP: #1743718) - d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group - d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge - d/p/ubuntu/dnsmasq-as-priv-user: write dnsmas config with user libvirt-dnsmasq and adapt the self tests to expect that config - d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users * Backport from recent upstream to stabilize libvirt (LP: #1754352) - d/p/stable/0024-qemu-blockcopy-Add-check-for-bandwidth.patch - d/p/stable/0025-conf-move-generated-member-from-virMacAddr-to-virDom.patch - d/p/stable/0026-lxc-Drop-useless-check-in-live-device-update.patch - d/p/stable/0027-Pass-oldDev-to-virDomainDefCompatibleDevice-on-devic.patch - d/p/stable/0028-qemu-Fix-updating-device-with-boot-order.patch - d/p/stable/0030-daemon-fix-rpc-event-leak-on-error-path-in-remoteDis.patch - d/p/stable/0029-lxc-fix-rpc-event-leak-on-error-path-in-virLXCContro.patch - d/p/stable/0031-qemu-fix-memory-leak-of-vporttype-during-migration.patch - d/p/stable/0032-virsh-fixing-segfault-by-pool-autocompleter-function.patch * d/p/ubuntu-aa/0041-apparmor-add-ro-rule-for-sasl-GSSAPI- plugin-on-etc-g.patch fix issues if sasl is configured (LP: #1696471) * d/p/ubuntu-aa/0042-virt-aa-helper-resolve-yet-to-be-created-paths.patch ensure symlinks are resolved to get valid rules if interim parts of a path are a symlink (LP: #1752361) -- Christian EhrhardtTue, 27 Feb 2018 12:04:02 +0100 ** Changed in: libvirt (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
I pushed the commit upstream after some review, ready to be included in Bionic with the next upload. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
** Tags added: 4.0.0-1ubuntu5 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
Submitted as https://www.redhat.com/archives/libvir- list/2018-March/msg00328.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
Rule tested, not breaking things - fixing the deny as intended. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
Rule we need is: /etc/gss/mech.d/ r, To trigger we need "libsasl2-modules-gssapi-mit" installed. That makes qemu read the dir. In there one only defines additional plugins to be loaded, and I can understand that this might be needed by sasl. I think it is safe to allow still and will submit something upstream. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
I have seen the same recently, but for without a clear repro I can't upstream. Also we don't know the impact of that missing yet. Lets fix it in Bionic as ubuntu custom change for now, and if we find a way to repro-trigger intentionally and understand the impact of the lack I can upstream it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
Sorry for the delay, I finally found some time to get back to this. This is still reproducible on current Ubuntu 17.10: virsh define m.xml qemu-img create -f qcow2 /var/lib/libvirt/images/subVmTest1-2.img 128M virsh start subVmTest1 dmesg shows: [ 319.220193] audit: type=1400 audit(1520004938.754:40): apparmor="DENIED" operation="open" profile="libvirt-269b6725-e6fb-4242 -a83a-3ad286dd5efb" name="/etc/gss/mech.d/" pid=5930 comm="qemu- system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 m.xml is attached. It's lightly edited to remove some external file and device references, to be more or less self-contained (except for the image created above; but that can be empty - it doesn't matter what's actually running in the VM). ** Attachment added: "reproducing machine XML" https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+attachment/5067161/+files/m.xml ** Changed in: libvirt (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
Forgot to mention: I didn't change any libvirt config files, in particular not the ones you mentioned: # dpkg -s libvirt-daemon-system | grep libvirt.conf /etc/sasl2/libvirt.conf 09c4fa846e8e27bfa3ab3325900d63ea # md5sum /etc/sasl2/libvirt.conf 09c4fa846e8e27bfa3ab3325900d63ea /etc/sasl2/libvirt.conf # dpkg -s libvirt-daemon-system | grep libvirtd.conf /etc/libvirt/libvirtd.conf bfacce84359f17a8bb59cb0dfe9b424f # md5sum /etc/libvirt/libvirtd.conf bfacce84359f17a8bb59cb0dfe9b424f /etc/libvirt/libvirtd.conf But note that /etc/sasl2/libvirt.conf has "mech_list: gssapi" enabled by default. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
Yeah, thanks Martin, if that is the case I agree to this plan of action. As soon as we can explain what triggers it I likely can easily bring something upstream. If you want to discuss potential experiments/reproducers feel free to catch me on IRC. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
This still happens all the time, also in 17.10, reopening. I need to find some time to create a reproducer that doesn't involve the Cockpit tests. ** Changed in: libvirt (Ubuntu) Status: Expired => Incomplete ** Changed in: libvirt (Ubuntu Xenial) Status: Expired => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
[Expired for libvirt (Ubuntu Xenial) because there has been no activity for 60 days.] ** Changed in: libvirt (Ubuntu Xenial) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
[Expired for libvirt (Ubuntu) because there has been no activity for 60 days.] ** Changed in: libvirt (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696471] Re: AppArmor denies access to /etc/gss/mech.d/
Hi Martin, I'm currently trying to clean up bugs that were missed or got no update. First I have to beg your pardon for missing it in the first place. I have run spice sessions without that showing up, so I checked what that actually is about. In general that directory is to plug configs for the gssapi - see some libvirt ref at [1]. This is enabled since ages, but I haven't heard of any issues. Which either means it works fine or no one is actually using it. I'd assume your setup has a SASL/GSSAPI configured more than vnc/spice to trigger this. If you'd have any details on this part of your setup for better reproducibility of the issue, that would be great. In general sharing a guest xml could help so I can kind of bisect through it if/how to trigger it. Alternatively it seems only be used when you use the non TLS socket. Your bug report states only default networks as modified, but maybe this differs from the env this pops up. Could you could check if you have any changes made to either /etc/sasl2/libvirt.conf or to listen_tls in /etc/libvirt/libvirtd.conf. [1]: https://libvirt.org/auth.html#ACL_server_kerberos ** Changed in: libvirt (Ubuntu Xenial) Status: New => Incomplete ** Changed in: libvirt (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696471 Title: AppArmor denies access to /etc/gss/mech.d/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1696471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs