Thanks to tyhicks from the security Team here some guidance how to go for step 2 of comment #30. If anybody is hitting this issue again, please help to verify this before applying any of the workarounds summarized by Hans in comment #20.
To do so follow this: # There are several moving parts involved: # # 1. The human readable profile # 2. The binary cache file # 3. The policy loaded into the kernel # Save off the binary cache file $ sudo mv /etc/apparmor.d/cache/usr.sbin.libvirtd /tmp/usr.sbin.libvirtd.oldcache # Create a new binary cache file from the human readable profile (but do not load it) and save it off $ sudo apparmor_parser -TWQ /etc/apparmor.d/usr.sbin.libvirtd $ sudo mv /etc/apparmor.d/cache/usr.sbin.libvirtd /tmp/usr.sbin.libvirtd.newcache # Verify that the old and new binary cache file matches the policy in the kernel # # Note: The in kernel path has an integer is appended to the end of the profile # name and I can't tell you what the integer will be ahead of time, so use wildcard $ sudo sha1sum /sys/kernel/security/apparmor/policy/profiles/usr.sbin.libvirtd.*/raw_data /tmp/usr.sbin.libvirtd.* bbdf01649dd59ab1bd3d3696788aa0be9f6f6b03 /sys/kernel/security/apparmor/policy/profiles/usr.sbin.libvirtd.18/raw_data bbdf01649dd59ab1bd3d3696788aa0be9f6f6b03 /tmp/usr.sbin.libvirtd.newcache bbdf01649dd59ab1bd3d3696788aa0be9f6f6b03 /tmp/usr.sbin.libvirtd.oldcache # If all hashes match, then it means that the profile, binary cache, and # in-kernel policy are all in sync But if in the error case all hashes would match it would make no sense that reloading the profiles helps as reported multiple times. So lets hope we can confirm this once somebody hits it again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1594902 Title: Failed to upgrade to libvirt-bin 1.3.1-1ubuntu10.1 on Ubuntu 16.04 64-bit Status in apparmor package in Ubuntu: New Status in libvirt package in Ubuntu: Confirmed Bug description: Output from 'apt-get upgrade': Setting up libvirt-bin (1.3.1-1ubuntu10.1) ... initctl: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused insserv: warning: script 'screen-cleanup' missing LSB tags and overrides insserv: Default-Start undefined, assuming empty start runlevel(s) for script `screen-cleanup' insserv: Default-Stop undefined, assuming empty stop runlevel(s) for script `screen-cleanup' initctl: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused insserv: warning: script 'binfmt-support' missing LSB tags and overrides insserv: Default-Start undefined, assuming empty start runlevel(s) for script `binfmt-support' insserv: Default-Stop undefined, assuming empty stop runlevel(s) for script `binfmt-support' initctl: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused insserv: warning: script 'screen-cleanup' missing LSB tags and overrides insserv: Default-Start undefined, assuming empty start runlevel(s) for script `screen-cleanup' insserv: Default-Stop undefined, assuming empty stop runlevel(s) for script `screen-cleanup' initctl: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused insserv: warning: script 'binfmt-support' missing LSB tags and overrides insserv: Default-Start undefined, assuming empty start runlevel(s) for script `binfmt-support' insserv: Default-Stop undefined, assuming empty stop runlevel(s) for script `binfmt-support' initctl: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused insserv: warning: script 'screen-cleanup' missing LSB tags and overrides insserv: Default-Start undefined, assuming empty start runlevel(s) for script `screen-cleanup' insserv: Default-Stop undefined, assuming empty stop runlevel(s) for script `screen-cleanup' initctl: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused insserv: warning: script 'binfmt-support' missing LSB tags and overrides insserv: Default-Start undefined, assuming empty start runlevel(s) for script `binfmt-support' insserv: Default-Stop undefined, assuming empty stop runlevel(s) for script `binfmt-support' Job for libvirt-bin.service failed because the control process exited with error code. See "systemctl status libvirt-bin.service" and "journalctl -xe" for details. invoke-rc.d: initscript libvirt-bin, action "restart" failed. dpkg: error processing package libvirt-bin (--configure): subprocess installed post-installation script returned error exit status 1 E: Sub-process /usr/bin/dpkg returned an error code (1) Output from 'systemctl status libvirt-bin.service': ● libvirt-bin.service - Virtualization daemon Loaded: loaded (/lib/systemd/system/libvirt-bin.service; enabled; vendor preset: enabled) Active: inactive (dead) (Result: exit-code) since Tue 2016-06-21 17:55:16 BST; 4min 52s ago Docs: man:libvirtd(8) http://libvirt.org Process: 2984 ExecStart=/usr/sbin/libvirtd $libvirtd_opts (code=exited, status=6) Main PID: 2984 (code=exited, status=6) Jun 21 17:55:15 lydia systemd[1]: Failed to start Virtualization daemon. Jun 21 17:55:15 lydia systemd[1]: libvirt-bin.service: Unit entered failed state. Jun 21 17:55:15 lydia systemd[1]: libvirt-bin.service: Failed with result 'exit-code'. Jun 21 17:55:16 lydia systemd[1]: libvirt-bin.service: Service hold-off time over, scheduling restart. Jun 21 17:55:16 lydia systemd[1]: Stopped Virtualization daemon. Jun 21 17:55:16 lydia systemd[1]: libvirt-bin.service: Start request repeated too quickly. Jun 21 17:55:16 lydia systemd[1]: Failed to start Virtualization daemon. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1594902/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
