New virt-manager (1.4.0) needs unix (send recieve) in apparmor

This rule means that every VM can unconditionally talk to libvirtd over any unix stream socket. What is the denial that prompted this rule?

Feb 28 13:53:15 desktop audit[13168]: AVC apparmor="DENIED" operation="file_receive" profile="libvirt-3371aa28-80bc-4268-84a5-2cefb074f5a6" pid=13168 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/libvirtd"
Feb 28 13:53:15 desktop libvirtd[8890]: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS
Feb 28 13:53:15 desktop kernel: audit: type=1400 audit(1488307995.746:362): apparmor="DENIED" operation="file_receive" profile="libvirt-3371aa28-80bc-4268-84a5-2cefb074f5a6" pid=13168 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/libvirtd"

Please use this rule instead:

unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),

That said, is the use of openGraphics exposed in the domain xml?

>unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),

Will revise it and upstream patch for that.

>That said, is the use of openGraphics exposed in the domain xml?
The domain xml can be (and is in all my testing) identical between virt-manager 1.3 (working) and 1.4 (causing this issue).

Nothing says openGraphics in the xml.

The attachment "libvirt_2.5.0-3ubuntu3.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

While not a rule I'm super pleased with, we'll have to trust libvirtd to DTRT with its anonymous sockets. Thanks for the update to the debdiff.

Hi Brian, thanks for your analysis and providing a patch already.
While I agree that the rule seems a bit open I trust Jamie's expertise and he doesn't call out a better way to do it.

I have added it to Ubuntu's libvirt git and lined that up for a zesty upload together with another bug that shall be fixed in zesty before fully freezing zesty.

=> https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2536

It just started building and I'll throw a pile of tests at it before moving it forward to proposed.
Please let me know if you have any other plans.

Thanks Christian, the update looks good. I have no other changes I'm looking to make to libvirt. (this does unblock me to look at merging virt-manager, but still a bunch of work to do for that).

This bug was fixed in the package libvirt - 2.5.0-3ubuntu3

---------------
libvirt (2.5.0-3ubuntu3) zesty; urgency=medium

  [ Christian Ehrhardt ]
  * d/p/ubuntu/Ensure-disk-names-follow-the-disk-name-regex.patch:
    guarantee disk spec is following the defined regex (LP: #1665410).

  [ Bryan Quigley ]
  * d/p/ubuntu/0007-apparmor-fix-for-new-virt-manager.patch: Add Apparmor
    permissions so virt-manager 1.4.0 viewing works (LP: #1668681).

 -- Christian Ehrhardt <email address hidden> Mon, 06 Mar 2017 08:24:06 +0100