Ubuntu
libvirt package

Missing entries in libvirt-qemu AppArmor profile

Bug #901272 reported by Louis Bouchard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Description: Ubuntu 11.10
Release : 11.10

When setting up VncTLS according to the official Libvirt documentation, only one certificate for libvirt/libvirt-vnc is used. The document indicates to use the following directories :

 /etc/pki/CA
 /etc/pki/libvirt
 /etc/pki/libvirt/private

in order to manage the certificates used by libvirt-vnc.

This is the document that talks about it : http://wiki.libvirt.org/page/VNCTLSSetup

These directories should be added to the libvirt AppArmor profile provided by Ubuntu.

Reproducible: 100%

Workaround:

Manually modify the /etc/apparmor.d/abstractions/libvirt-qemu profile

Business concern:

This would affect anybody trying to use the official documentation to enable qemu-vnc

Request:

Modify the libvirt-qemu profile

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libvirt-bin-0.9.2-4ubuntu15.1
Uname: Linux 3.0.0-13-server x86_64
Architecture: N/A

See original description

Related branches

lp:ubuntu/precise/libvirt
Louis Bouchard (louis)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for your report. Does adding the following to /etc/apparmor.d/abstractions/libvirt-qemu fix the issue for you:
  /etc/pki/CA/ r,
  /etc/pki/CA/* r,
  /etc/pki/libvirt/ r,
  /etc/pki/libvirt/* r
  /etc/pki/libvirt/private/ r,
  /etc/pki/libvirt/private/* r,

Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, this might be simpler:
  /etc/pki/CA/ r,
  /etc/pki/CA/* r,
  /etc/pki/libvirt/ r,
  /etc/pki/libvirt/** r,

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

/etc/pki/libvirt/** r, # this assumes there is nothing else in /etc/pki/libvirt besides the files needed by qemu

Revision history for this message
Poil (poil) wrote :

Adding "/etc/pki/CA/* r, /etc/pki/libvirt/** r," is OK for me.

best regards

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks. It is not ideal that we have /etc/pki/libvirt/** since all VMs have read access to each other's pki files, but unless we have svirt support for the different pki files, this is good enough.

Changed in libvirt (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: Incomplete → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.7-2ubuntu8

---------------
libvirt (0.9.7-2ubuntu8) precise; urgency=low

  * debian/apparmor/libvirt-qemu: add /etc/pki/CA/* and /etc/pki/libvirt/**
    (LP: #901272)
 -- Serge Hallyn <email address hidden> Wed, 04 Jan 2012 13:18:50 -0600

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.