[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
** Changed in: apparmor (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
Patch commited to bzr trunk r3574. AppArmor 2.11 will include it. ** Changed in: apparmor Status: New => Fix Committed ** Changed in: apparmor Milestone: None => 2.11 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
dnsmasq.* indeed sounds like a good idea, and shouldn't cause any harm. I've sent another patch to the mailinglist for review. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
Yes, so basically we have: - dnsmasq.pid (create + read/write by dnsmasq) - dnsmasq.raw (read by dnsmasq) - dnsmasq.hosts (read by dnsmasq) - dnsmasq.leases (create + read/write by dnsmasq) I'd be tempted to just go with: /var/lib/lxd/networks/*/dnsmasq.pid rw, /var/lib/lxd/networks/*/dnsmasq.leases rw, /var/lib/lxd/networks/*/dnsmasq.* r, That should make things a bit more future proof should we add any more dnsmasq related files in there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
"c" means to create a file, so you'll need write permissions. Judging on other rules in the profile, you'll also need read permissions. To sum it up: /var/lib/lxd/networks/*/dnsmasq.pid rw, Anything else after adding this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
Another message: audit: type=1400 audit(1476791887.152:118): apparmor="DENIED" operation="mknod" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/dnsmasq.pid" pid=5480 comm="dnsmasq" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
dnsmasq.leases added in trunk r3573 (before noticing comment #5 ;-) comment #5 means you'll need to add /var/lib/lxd/networks/*/dnsmasq.hosts r, After adding this (and reloading the profile), do you see more DENIED messages? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
** Branch linked: lp:apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
I'm afraid it won't be enough...: audit: type=1400 audit(1476780672.803:99): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/dnsmasq.hosts" pid=5165 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
Thanks for the feedback! I just submitted the patch for review upstream. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
/var/lib/lxd/networks/*/dnsmasq.leases rw, should work fine -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
The interface name is decided by the user in LXD 2.3 or higher, so it can be any valid interface name. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634199] Re: In 16.10, LXD won't work with enforced dsnmasq profile
Sounds like the path changed. You'll need to add the following rule to /etc/apparmor.d/usr.sbin.dnsmasq (or to the local/ include): /var/lib/lxd/networks/lxdbr*/dnsmasq.leases rw, BTW: Do you know if lxd supports different network interface types that don't match the lxdbr* name pattern? If yes, we'll need to add a more permissive rule. ** Also affects: apparmor Importance: Undecided Status: New ** Tags added: aa-policy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634199 Title: In 16.10, LXD won't work with enforced dsnmasq profile To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1634199/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
