-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.
On Fri, 5 Jun 2020, Christian Ehrhardt wrote:
> Date: Fri, 05 Jun 2020 05:34:26 -0000
> From: Christian Ehrhardt <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1881969] Re: apparmor profile for libvirtd/libvirt-daemon needs
> fixing
>
> Hmm,
> virt-manager can still set up a lot of different guest configurations.
> I've been using virt-manager guests as well and they don't show this.
>
> You said you see these messages after a reboot on auto-start.
> Can you try to un-break this a bit.
>
> For example:
> a) disable auto-starting the guests, does the libvirtd daemon still trigger the denial at reboot?
All guests are disabled, and I verified none of them were started after
rebooting the physical host, still on the physical host I got:
-_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _- www.eskimo. com/ (206) 812-0051 or (800) 246-6874.
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Fri, 5 Jun 2020, Christian Ehrhardt wrote:
> Date: Fri, 05 Jun 2020 05:34:26 -0000 libvirt- daemon needs
> From: Christian Ehrhardt <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1881969] Re: apparmor profile for libvirtd/
> fixing
>
> Hmm,
> virt-manager can still set up a lot of different guest configurations.
> I've been using virt-manager guests as well and they don't show this.
>
> You said you see these messages after a reboot on auto-start.
> Can you try to un-break this a bit.
>
> For example:
> a) disable auto-starting the guests, does the libvirtd daemon still trigger the denial at reboot?
All guests are disabled, and I verified none of them were started after
rebooting the physical host, still on the physical host I got:
audit: type=1400 audit(159134299 3.302:33) : apparmor="DENIED" 3.312:34) : apparmor="DENIED" "net_bind_ service" 3.352:35) : apparmor="DENIED" "net_bind_ service" 3.802:36) : apparmor="DENIED" "net_bind_ service" 3.902:37) : apparmor="DENIED"
operation="capable" profile="libvirtd" pid=2140 comm="libvirtd" capability=17
capname="sys_rawio"
[ 120.450546] audit: type=1400 audit(159134299
operation="capable" profile="libvirtd" pid=2140 comm="libvirtd" capability=10
capname=
[ 120.491737] audit: type=1400 audit(159134299
operation="capable" profile="libvirtd" pid=2140 comm="libvirtd" capability=10
capname=
[ 120.947173] audit: type=1400 audit(159134299
operation="capable" profile="libvirtd" pid=2140 comm="libvirtd" capability=10
capname=
[ 121.039929] audit: type=1400 audit(159134299
operation="capable" profile="libvirtd" pid=2140 comm="libvirtd" capability=17
capname="sys_rawio"
> b) if (a) didn't trigger it, then does it happen once you start the guests?
After starting guests, I got two additional messages for each guest:
[ 379.820259] audit: type=1400 audit(159134325 2.681:51) : apparmor="STATUS" "profile_ replace" profile= "unconfined" deead97e- a18c-4643- a345-c8f43fe2d6 4d" pid=34595 parser" 2.681:52) : apparmor="DENIED" "net_bind_ service"
operation=
name="libvirt-
comm="apparmor_
[ 379.823200] audit: type=1400 audit(159134325
operation="capable" profile="libvirtd" pid=2140 comm="libvirtd" capability=10
capname=
> c) did you made any changes to /etc/libvirt/*?
No
> d) if (b) is true does it happen for all the guests?
Yes
> e) since the other bug report mentions scsi disks, does your host or guest setup use scsi (or other less common disks)?
I am using a RAID10 array of SCSI disks (WD Black 4GB x 4) for the
partition /var/lib/libvirt is on and a WD black 2GB for root partition.
> f) if you find a particular guest that triggers it, could you share the guest xml definition?
They all trigger it regardless of configuration or guest OS.
> ... /bugs.launchpad .net/bugs/ 1881969 libvirt- daemon needs fixing 9.677:101) : esult: skip conffile. .etc.libvirt. nwfilter. allow-arp. xml: [modified] conffile. .etc.libvirt. nwfilter. allow-dhcp- server. xml: [modified] conffile. .etc.libvirt. nwfilter. allow-dhcp. xml: [modified] conffile. .etc.libvirt. nwfilter. allow-incoming- ipv4.xml: [modified] conffile. .etc.libvirt. nwfilter. allow-ipv4. xml: [modified] conffile. .etc.libvirt. nwfilter. clean-traffic- gateway. xml: [modified] conffile. .etc.libvirt. nwfilter. clean-traffic. xml: [modified] conffile. .etc.libvirt. nwfilter. no-arp- ip-spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-arp- mac-spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-arp- spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-ip-multicast .xml: [modified] conffile. .etc.libvirt. nwfilter. no-ip-spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-mac- broadcast. xml: [modified] conffile. .etc.libvirt. nwfilter. no-mac- spoofing. xml: [modified] conffile. .etc.libvirt. nwfilter. no-other- l2-traffic. xml: [modified] conffile. .etc.libvirt. nwfilter. no-other- rarp-traffic. xml: [modified] conffile. .etc.libvirt. nwfilter. qemu-announce- self-rarp. xml: [modified] conffile. .etc.libvirt. nwfilter. qemu-announce- self.xml: [modified] conffile. .etc.libvirt. qemu.networks. default. xml: [modified] .etc.libvirt. nwfilter. allow-arp. xml: 2017-05- 27T04:38: 59.454073 .etc.libvirt. nwfilter. allow-dhcp- server. xml: 2017-05- 27T04:38: 58.894071 .etc.libvirt. nwfilter. allow-dhcp. xml: 2017-05- 27T04:38: 58.990072 .etc.libvirt. nwfilter. allow-incoming- ipv4.xml: 2017-05- 27T04:38: 59.714073 .etc.libvirt. nwfilter. allow-ipv4. xml: 2017-05- 27T04:38: 59.522073 .etc.libvirt. nwfilter. clean-traffic- gateway. xml: 2018-10- 27T01:48: 21.872648 .etc.libvirt. nwfilter. clean-traffic. xml: 2017-05- 27T04:38: 59.582073 .etc.libvirt. nwfilter. no-arp- ip-spoofing. xml: 2017-05- 27T04:38: 58.942071 .etc.libvirt. nwfilter. no-arp- mac-spoofing. xml: 2017-05- 27T04:38: 59.870074 .etc.libvirt. nwfilter. no-arp- spoofing. xml: 2017-05- 27T04:38: 59.818074 .etc.libvirt. nwfilter. no-ip-multicast .xml: 2017-05- 27T04:38: 59.110072 .etc.libvirt. nwfilter. no-ip-spoofing. xml: 2017-05- 27T04:38: 59.178072 .etc.libvirt. nwfilter. no-mac- broadcast. xml: 2017-05- 27T04:38: 59.774074 .etc.libvirt. nwfilter. no-mac- spoofing. xml: 2017-05- 27T04:38: 59.254072 .etc.libvirt. nwfilter. no-other- l2-traffic. xml: 2017-05- 27T04:38: 59.394073 .etc.libvirt. nwfilter. no-other- rarp-traffic. xml: 2017-05- 27T04:38: 59.646073 .etc.libvirt. nwfilter. qemu-announce- self-rarp. xml: 2017-05- 27T04:38: 59.050072 .etc.libvirt. nwfilter. qemu-announce- self.xml: 2017-05- 27T04:38: 59.322073 .etc.libvirt. qemu.networks. default. xml: 2017-05- 27T04:38: 58.478070 /bugs.launchpad .net/ubuntu/ +source/ libvirt/ +bug/1881969/ +subscriptions
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> apparmor profile for libvirtd/
>
> Status in libvirt package in Ubuntu:
> Incomplete
> Status in libvirt package in Debian:
> Incomplete
>
> Bug description:
> Libvirtd is trying to use a capability being denied it by apparmor.
>
> [474656.842239] audit: type=1400 audit(159121195
> apparmor="DENIED" operation="capable" profile="libvirtd" pid=3393444
> comm="libvirtd" capability=17 capname="sys_rawio"
>
> ProblemType: Bug
> DistroRelease: Ubuntu 20.04
> Package: libvirt-daemon 6.0.0-0ubuntu8.1
> Uname: Linux 5.6.0 x86_64
> ApportVersion: 2.20.11-0ubuntu27.2
> Architecture: amd64
> CasperMD5CheckR
> CurrentDesktop: MATE
> Date: Wed Jun 3 14:01:30 2020
> InstallationDate: Installed on 2017-05-27 (1103 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> SourcePackage: libvirt
> UpgradeStatus: Upgraded to focal on 2020-04-26 (38 days ago)
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> modified.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
> mtime.conffile.
>
> To manage notifications about this bug go to:
> https:/
>