AppArmor Regression #1236455 by #1298611
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Affected on kernel 3.13.0-21.43 and later on Trusty.
It may be because 3.13.0-21.43 revert #1236455 fix.
linux (3.13.0-21.43) trusty; urgency=low
[ John Johansen ]
* Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
* Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
* Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
policy"
* Revert "SAUCE: apparmor: allocate path lookup buffers during init"
* Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
connection"
* Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
* SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
- LP: #1298611
linux (3.13.0-2.17) trusty; urgency=low
[ John Johansen ]
* SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
* SAUCE: apparmor: fix unix domain sockets to be mediated on connection
- LP: #1208988
* SAUCE: apparmor: allocate path lookup buffers during init
- LP: #1208988
* SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
- LP: #1236455
I've observed a failing of AppArmor policy update with libvirt, qemu and vagrant.
vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory.
virt-aa-helper should add it but fails.
/etc/apparmor.
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/
"/var/
"/var/
"/run/
"/var/
"/run/
"/home/
"/home/
"/home/
/var/log/
Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(140218717
Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(140218717
Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(140218717
running
sudo aa-complain /usr/lib/
solves a problem. After running above command, I get following:
/etc/apparmor.
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/
"/var/
"/var/
"/run/
"/var/
"/run/
"/home/
"/home/
# don't audit writes to readonly files
deny "/home/
"/home/
"/home/
virt-aa-helper generates policy rule and reloaded properly.
The observation tell us a policy in /etc/apparmor.
@{HOME}/** r,
/**.img r,
not working and fails update libvirt policy.
This behavior is same as #1236455.
---
ApportVersion: 2.14.1-0ubuntu3
Architecture: amd64
CurrentDesktop: X-Cinnamon
DistroRelease: Ubuntu 14.04
InstallationDate: Installed on 2010-08-15 (1392 days ago)
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
NonfreeKernelMo
Package: linux
PackageArchitec
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=ja_JP.utf8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=
ProcVersionSign
Syslog:
Tags: qiana third-party-
Uname: Linux 3.13.0-24-generic x86_64
UpgradeStatus: Upgraded to qiana on 2014-04-20 (48 days ago)
UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner
_MarkForUpload: True
---
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: X-Cinnamon
DistroRelease: Ubuntu 14.04
InstallationDate: Installed on 2010-08-15 (1393 days ago)
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
NonfreeKernelMo
Package: linux
PackageArchitec
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=ja_JP.utf8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=
ProcVersionSign
Syslog:
Jun 8 14:16:36 tuna dbus[701]: [system] AppArmor D-Bus mediation is enabled
Jun 8 14:23:20 tuna dbus[682]: [system] AppArmor D-Bus mediation is enabled
Jun 8 14:27:28 tuna dbus[684]: [system] AppArmor D-Bus mediation is enabled
Jun 8 14:30:27 tuna dbus[697]: [system] AppArmor D-Bus mediation is enabled
Tags: qiana third-party-
Uname: Linux 3.13.0-24-generic x86_64
UpgradeStatus: Upgraded to qiana on 2014-04-20 (49 days ago)
UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner
_MarkForUpload: True
affects: | linux → linux (Ubuntu) |
description: | updated |
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
Changed in apparmor (Ubuntu): | |
status: | New → Fix Released |
Changed in linux (Ubuntu): | |
status: | Incomplete → Fix Released |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1327687
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.