Bug #480478 “libvirt's apparmor profile doesn't allow execution ...” : Bugs : libvirt package : Ubuntu

Jamie Strandboge (jdstrand) on 2009-11-11

tags:	added: apparmor
Changed in libvirt (Ubuntu):
assignee:	nobody → Jamie Strandboge (jdstrand)
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Chris Jones (cmsj) wrote on 2009-11-19:

#1

I'm brand new to lxc and apparmor, but I wonder if this is sufficient:

=== modified file 'apparmor.d/usr.sbin.libvirtd'
--- apparmor.d/usr.sbin.libvirtd 2009-11-19 21:10:26 +0000
+++ apparmor.d/usr.sbin.libvirtd 2009-11-19 21:26:21 +0000
@@ -32,6 +32,7 @@
   /sbin/* Ux,
   /usr/bin/* Ux,
   /usr/sbin/* Ux,
+ /usr/lib/libvirt/* Ux,

# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-11-23:

#2

To better work with libvirt's layout going further, this is the rule I would recommend:
/usr/lib/libvirt/* PUxr,

Jamie Strandboge (jdstrand) on 2009-11-23

Changed in libvirt (Ubuntu):
milestone:	none → karmic-updates
Changed in libvirt (Ubuntu Karmic):
importance:	Undecided → Medium
assignee:	nobody → Jamie Strandboge (jdstrand)
milestone:	none → karmic-updates
status:	New → Triaged
Changed in libvirt (Ubuntu Lucid):
milestone:	karmic-updates → none

Jamie Strandboge (jdstrand) on 2009-11-30

Changed in libvirt (Ubuntu Lucid):
status:	Triaged → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-12-02:

#3

Download full text (6.5 KiB)

This bug was fixed in the package libvirt - 0.7.2-4ubuntu1

---------------
libvirt (0.7.2-4ubuntu1) lucid; urgency=low

  * Merge from debian testing. Remaining changes:
    - debian/control:
      + Don't build-depend on QEmu
      + Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables
        to Depends of libvirt-bin
      + Recommends qemu-kvm (>= 0.11.0-0ubuntu6)
      + Add versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg,
        since we used to ship them as such
      + We call libxen-dev libxen3-dev, so change all references
      + Build-Depends on libxml2-utils
      + Build-Depends on open-iscsi-utils instead of open-iscsi due to
        LP: #414986
    - debian/postinst:
      + rename the libvirt group to libvirtd
      + add each admin user to the libvirtd group
    - debian/libvirt-bin.postrm: rename the libvirt group to libvirtd
    - debian/rules: add DEB_MAKE_CHECK_TARGET := check
    - debian/patches/900[0-7]: updated/refreshed for new paths in 0.7.2
    - debian/patches/series: don't apply 0002-qemu-disable-network.diff.patch
    - AppArmor integration:
      + debian/control: Build-Depends on libapparmor-dev and Suggests
        apparmor (>= 2.3+1289-0ubuntu14)
      + debian/libvirt-bin.dirs: add /etc/apparmor.d/abstractions,
        /etc/apparmor.d/force-complain, /etc/apparmor.d/libvirt,
        /etc/cron.daily and /usr/share/apport/package-hooks
      + add debian/libvirt-bin.cron.daily (LP: #438165)
      + add debian/libvirt-bin.apport
      + debian/libvirt-bin.install: install apparmor profiles, abstractions
        and apport hook
      + debian/postinst: reload apparmor profiles
      + debian/libvirt-bin.postrm: remove apparmor symlinks on purge
      + debian/libvirt-bin.preinst: added to force complain on certain
        upgrades
      + debian/README.Debian: add AppArmor section based on the upstream
        documentation
      + debian/rules: use --with-apparmor and copy apparmor and apport hook to
        debian/tmp
    - Dropped the following patches now included upstream:
      + 0005-Close-logfile-fd-after-spawning-qemu.patch
      + 9090-reenable-nonfile-labels.patch
      + 9091-apparmor.patch
      + 9092-apparmor-autoreconf.patch
  * AppArmor integration updates:
    - debian/apparmor/usr.sbin.libvirtd: allow libvirtd access to
      /usr/lib/libvirt/* (LP: #480478)
    - debian/apparmor/libvirt-qemu: allow guests access to
      /etc/pki/libvirt-vnc/** (LP: #484562)
    - debian/libvirt-bin.postinst: 0.7.2 moved /usr/bin/virt-aa-helper to
      /usr/lib/libvirt, so the profile changed from usr.bin.virt-aa-helper
      to usr.lib.libvirt.virt-aa-helper and needs to be migrated. If the user
      made no changes to the old profile, remove it, otherwise, update the
      paths, preserving the shipped usr.lib.libvirt.virt-aa-helper
    - update to 0.7.4 version of the sVirt AppArmor driver (can be dropped in
      0.7.4):
      + debian/patches/9008-apparmor-caps-mockup.patch
      + debian/patches/9009-apparmor-lp453335.patch
      + debian/patches/9010-apparmor-lp460271.patch
      + debian/patches/9011-apparmor-code-cleanups.patch
    - add virt-aa-helper-test and examples/appar...

This bug was fixed in the package libvirt - 0.7.2-4ubuntu1

---------------
libvirt (0.7.2-4ubuntu1) lucid; urgency=low

* Merge from debian testing. Remaining changes:
    - debian/control:
      + Don't build-depend on QEmu
      + Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables
        to Depends of libvirt-bin
      + Recommends qemu-kvm (>= 0.11.0-0ubuntu6)
      + Add versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg,
        since we used to ship them as such
      + We call libxen-dev libxen3-dev, so change all references
      + Build-Depends on libxml2-utils
      + Build-Depends on open-iscsi-utils instead of open-iscsi due to
        LP: #414986
    - debian/postinst:
      + rename the libvirt group to libvirtd
      + add each admin user to the libvirtd group
    - debian/libvirt-bin.postrm: rename the libvirt group to libvirtd
    - debian/rules: add DEB_MAKE_CHECK_TARGET := check
    - debian/patches/900[0-7]: updated/refreshed for new paths in 0.7.2
    - debian/patches/series: don't apply 0002-qemu-disable-network.diff.patch
    - AppArmor integration:
      + debian/control: Build-Depends on libapparmor-dev and Suggests
        apparmor (>= 2.3+1289-0ubuntu14)
      + debian/libvirt-bin.dirs: add /etc/apparmor.d/abstractions,
        /etc/apparmor.d/force-complain, /etc/apparmor.d/libvirt,
        /etc/cron.daily and /usr/share/apport/package-hooks
      + add debian/libvirt-bin.cron.daily (LP: #438165)
      + add debian/libvirt-bin.apport
      + debian/libvirt-bin.install: install apparmor profiles, abstractions
        and apport hook
      + debian/postinst: reload apparmor profiles
      + debian/libvirt-bin.postrm: remove apparmor symlinks on purge
      + debian/libvirt-bin.preinst: added to force complain on certain
        upgrades
      + debian/README.Debian: add AppArmor section based on the upstream
        documentation
      + debian/rules: use --with-apparmor and copy apparmor and apport hook to
        debian/tmp
    - Dropped the following patches now included upstream:
      + 0005-Close-logfile-fd-after-spawning-qemu.patch
      + 9090-reenable-nonfile-labels.patch
      + 9091-apparmor.patch
      + 9092-apparmor-autoreconf.patch
  * AppArmor integration updates:
    - debian/apparmor/usr.sbin.libvirtd: allow libvirtd access to
      /usr/lib/libvirt/* (LP: #480478)
    - debian/apparmor/libvirt-qemu: allow guests access to
      /etc/pki/libvirt-vnc/** (LP: #484562)
    - debian/libvirt-bin.postinst: 0.7.2 moved /usr/bin/virt-aa-helper to
      /usr/lib/libvirt, so the profile changed from usr.bin.virt-aa-helper
      to usr.lib.libvirt.virt-aa-helper and needs to be migrated. If the user
      made no changes to the old profile, remove it, otherwise, update the
      paths, preserving the shipped usr.lib.libvirt.virt-aa-helper
    - update to 0.7.4 version of the sVirt AppArmor driver (can be dropped in
      0.7.4):
      + debian/patches/9008-apparmor-caps-mockup.patch
      + debian/patches/9009-apparmor-lp453335.patch
      + debian/patches/9010-apparmor-lp460271.patch
      + debian/patches/9011-apparmor-code-cleanups.patch
    - add virt-aa-helper-test and examples/apparmor that were omitted from the
      upstream tarball (can be dropped in 0.7.5):
      + debian/patches/9012-apparmor-add-virt-aa-helper-test.patch
      + debian/patches/9013-apparmor-examples.patch
      + debian/rules: add post-patches target to make virt-aa-helper-test
        executable
  * debian/patches/0005-Fix-SELinux-linking-issues.patch: updated to work
    when both apparmor and selinux are available. This patch should be
    dropped in 0.7.4.
  * debian/patches/9007-default-config-test-case.patch: updated to not fail
    if building in a deep directory
  * debian/patches/9014-event-fuzz.patch: add a little fuzz to not be quite
    so precise with expected expiry time. Fixes FTBFS with HZ=100 kernels.
    Can be dropped in 0.7.5.
  * debian/patches/9015-hal-startup-failure-is-nonfatal.patch: disable hal
    driver if hald is not running instead of dying. Can be dropped in
    0.7.4.
  * debian/control: temporarily remove Build-Depends on libcap-ng-dev, which
    isn't available in Ubuntu main yet
  * revert change to new source format 3.0 (quilt) since Launchpad can't
    handle it yet (see LP: #293106)

libvirt (0.7.2-4) unstable; urgency=low

* [213ca47] switch to new source format 3.0 (quilt)
  * [f5a10e9] Depend on hal (Closes: #556730)
  * [7d1422d] Drop build-dep on libpolkit-dbus-dev (Closes: #549500)
  * [95ad85c] Depend on libcap-ng-dev for lxc driver.

libvirt (0.7.2-3) unstable; urgency=low

* [2c0aa82] Fix qemu:///session Backported from upsgtream's
    79218cdd9887b132eb0f29fe2048f89e90beae1 (Closes: #554869)

libvirt (0.7.2-2) unstable; urgency=low

[ Laurent Léonard ]
  * [a9ea205] Change requirement of libvirt-bin in libvirt- suspendonreboot.
  * [a4db804] Update debian/patches/0006-Don-t-let-parent-of-daemon-
    exit-until-basic-initiali.patch. Fix use of an uninitialized variable that
    was causing a bug on i386 systems.
  * [59e1e53] Redo patches.

[ Guido Günther ]
  * upload to unstable
  * [43f106a] Only remove masquerade roles for VIR_NETWORK_FORWARD_NAT
    (Closes: #549949) - thanks to Rob S. Wolfram for testing

libvirt (0.7.2-1) experimental; urgency=low

[ Laurent Léonard ]
  * [51a4814] Imported Upstream version 0.7.2
  * [12268f6] Update patches.
  * [175d497] Fix SELinux linking issues. Pulled from upstream
    309acaa0230494b8ec08d03375c10238cb2daf55.
  * [5cfdaf8] Update libvirt-doc docs.
  * [dc2059f] Update libvirt-bin manpages.
  * [a62a4a7] Update libvirt-bin examples.
  * [9e38cbc] Update libvirt0 symbols.
  * [412b12f] Make init.d script provide itself.
  * [35451bf] Update debian/rules to support new example files.
  * [43b7dac] Don't let parent of daemon exit until basic initialization is
    done.
  * [5a37e69] Make init.d provide libvirtd for backward compatibility.

libvirt (0.7.1-2) unstable; urgency=low

* [f5299d3] document changes and release 0.7.1-1
  * [f137c00] Allow for older versions of dpkg-dev to ease backports.
  * [74f5832] Use Policykit 1.0 (Closes: #549500)

libvirt (0.7.1-1) unstable; urgency=low

[ Laurent Léonard ]
  * [40fb620] Bump Debhelper version to 7.
  * [e0e89f2] Bump Standards-Version to 3.8.3.
  * [50a862f] Clean debian/rules.
  * [e9c9906] Change build dependency on libreadline5-dev to
    libreadline-dev.
  * [b6cb738] Imported Upstream version 0.7.1
  * [780f6a7] Redo patches.
  * [3d66f37] Update libvirt-bin examples.
  * [c01ed84] Update libvirt0 symbols.
 -- Jamie Strandboge <jamie@ubuntu.com>   Wed, 02 Dec 2009 09:22:21 -0600

Changed in libvirt (Ubuntu Lucid):
status:	In Progress → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-04-20:

#4

Unmilestoning and unassigning myself for the 9.10 task. I don't have time to prepare/test/follow through on an SRU for this, especially since there is an easy workaround. If someone else is inclined to take the lead on an SRU for this, feel free to do so.

Changed in libvirt (Ubuntu Karmic):
assignee:	Jamie Strandboge (jdstrand) → nobody
milestone:	karmic-updates → none

Revision history for this message

Rolf Leggewie (r0lf) wrote on 2014-12-03:

#5

karmic has seen the end of its life and is no longer receiving any updates. Marking the karmic task for this ticket as 'Won't Fix'.

Changed in libvirt (Ubuntu Karmic):
status:	Triaged → Won't Fix

Ubuntu
libvirt package

libvirt's apparmor profile doesn't allow execution of /usr/lib/libvirt/libvirt_lxc

Bug Description

Related branches

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
libvirt (Ubuntu)	Fix Released	Medium	Jamie Strandboge
Karmic	Won't Fix	Medium	Unassigned
Lucid	Fix Released	Medium	Jamie Strandboge

Ubuntulibvirt package

libvirt's apparmor profile doesn't allow execution of /usr/lib/libvirt/libvirt_lxc

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
libvirt package