apparmor profile for libvirt does not allow hooks to be executed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Maverick |
Won't Fix
|
Undecided
|
Unassigned | ||
Natty |
Won't Fix
|
Undecided
|
Unassigned | ||
Oneiric |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
=======
SRU Justification:
1. Impact: libvirt hooks cannot be used
2. Development fix: add apparmor rule to allow use of libvirt hooks
3. Stable fix: same as development fix
4. Test case:
a. install libvirt
b. create /etc/libvirt/
#!/bin/sh << EOF
date >> /tmp/libvirt-
EOF
c. stop libvirt-bin; start libvirt-bin
d. check whether /tmp/libvirt-
5. Regression potential: if the profile has a syntax error, it could cause problems loading the profile, or lead to too much or insufficient privilege for libvirt to run.
=======
The hooks documented in http://
For example, "daemon" hook produces this message in the log:
Nov 17 06:54:06 nexus kernel: [ 8914.624912] type=1400 audit(132149844
Description: Ubuntu 11.10
Release: 11.10
libvirt-bin:
Installed: 0.9.2-4ubuntu15.1
Candidate: 0.9.2-4ubuntu15.1
Version table:
*** 0.9.2-4ubuntu15.1 0
500 http://
100 /var/lib/
0.
500 http://
Related branches
description: | updated |
Changed in libvirt (Ubuntu Maverick): | |
status: | New → Won't Fix |
Changed in libvirt (Ubuntu Natty): | |
status: | New → Won't Fix |
This should work if you add the following to /etc/apparmor. d/bin/usr. sbin.libvirtd (under the '/usr/bin/* PUx' rule): libvirt/ hooks/* ix,
/etc/
Hooks are called by the trusted libvirtd daemon, not by the AppArmor protected guests so this rule is safe to add to the AppArmor profile as libvirtd is expected to run (essentially) unconfined.