Ubuntu
apparmor package

  1. Bug #1327687
  2. Activity log

Activity log for bug #1327687

Date Who What changed Old value New value Message
2014-06-08 01:42:53 Hiroshi Miura bug added bug
2014-06-08 01:43:42 Hiroshi Miura bug task added linux
2014-06-08 02:03:37 Hiroshi Miura affects linux linux (Ubuntu)
2014-06-08 02:06:09 Hiroshi Miura description Affected on kernel 3.13.0-21.43 and later on Trusty. Because 3.13.0-21.43 revert #1236455 fix. linux (3.13.0-21.43) trusty; urgency=low [ John Johansen ] * Revert "SAUCE: Add config option to disable new apparmor 3 semantics" * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe" * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy" * Revert "SAUCE: apparmor: allocate path lookup buffers during init" * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on connection" * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot" * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot - LP: #1298611 linux (3.13.0-2.17) trusty; urgency=low [ John Johansen ] * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot * SAUCE: apparmor: fix unix domain sockets to be mediated on connection - LP: #1208988 * SAUCE: apparmor: allocate path lookup buffers during init - LP: #1208988 * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy - LP: #1236455 I've observed a failing of AppArmor policy update with libvirt, qemu and vagrant. vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory. virt-aa-helper should add it but fails. /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w, "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw, "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk, "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw, "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw, "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw, "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw, "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, /var/log/libivrt/libvirtd.log: Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 running sudo aa-complain /usr/lib/libvirt/virt-aa-helper solves a problem. After running above command, I get following: /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w, "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw, "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk, "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw, "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw, "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw, "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r, # don't audit writes to readonly files deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w, "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw, "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, virt-aa-helper generates policy rule and reloaded properly. The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper: @{HOME}/** r, /**.img r, not working and fails update libvirt policy. This behavior is same as #1236455. Affected on kernel 3.13.0-21.43 and later on Trusty. It may be because 3.13.0-21.43 revert #1236455 fix. linux (3.13.0-21.43) trusty; urgency=low   [ John Johansen ]   * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"   * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"   * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded     policy"   * Revert "SAUCE: apparmor: allocate path lookup buffers during init"   * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on     connection"   * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"   * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot     - LP: #1298611 linux (3.13.0-2.17) trusty; urgency=low   [ John Johansen ]   * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot   * SAUCE: apparmor: fix unix domain sockets to be mediated on connection     - LP: #1208988   * SAUCE: apparmor: allocate path lookup buffers during init     - LP: #1208988   * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy     - LP: #1236455 I've observed a failing of AppArmor policy update with libvirt, qemu and vagrant. vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory. virt-aa-helper should add it but fails. /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, /var/log/libivrt/libvirtd.log: Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 running sudo aa-complain /usr/lib/libvirt/virt-aa-helper solves a problem. After running above command, I get following: /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,   "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,   # don't audit writes to readonly files   deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, virt-aa-helper generates policy rule and reloaded properly. The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:   @{HOME}/** r,   /**.img r, not working and fails update libvirt policy. This behavior is same as #1236455.
2014-06-08 02:30:10 Brad Figg linux (Ubuntu): status New Incomplete
2014-06-08 02:33:16 Hiroshi Miura tags apport-collected qiana third-party-packages
2014-06-08 02:33:18 Hiroshi Miura description Affected on kernel 3.13.0-21.43 and later on Trusty. It may be because 3.13.0-21.43 revert #1236455 fix. linux (3.13.0-21.43) trusty; urgency=low   [ John Johansen ]   * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"   * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"   * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded     policy"   * Revert "SAUCE: apparmor: allocate path lookup buffers during init"   * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on     connection"   * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"   * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot     - LP: #1298611 linux (3.13.0-2.17) trusty; urgency=low   [ John Johansen ]   * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot   * SAUCE: apparmor: fix unix domain sockets to be mediated on connection     - LP: #1208988   * SAUCE: apparmor: allocate path lookup buffers during init     - LP: #1208988   * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy     - LP: #1236455 I've observed a failing of AppArmor policy update with libvirt, qemu and vagrant. vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory. virt-aa-helper should add it but fails. /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, /var/log/libivrt/libvirtd.log: Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 running sudo aa-complain /usr/lib/libvirt/virt-aa-helper solves a problem. After running above command, I get following: /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,   "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,   # don't audit writes to readonly files   deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, virt-aa-helper generates policy rule and reloaded properly. The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:   @{HOME}/** r,   /**.img r, not working and fails update libvirt policy. This behavior is same as #1236455. Affected on kernel 3.13.0-21.43 and later on Trusty. It may be because 3.13.0-21.43 revert #1236455 fix. linux (3.13.0-21.43) trusty; urgency=low   [ John Johansen ]   * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"   * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"   * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded     policy"   * Revert "SAUCE: apparmor: allocate path lookup buffers during init"   * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on     connection"   * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"   * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot     - LP: #1298611 linux (3.13.0-2.17) trusty; urgency=low   [ John Johansen ]   * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot   * SAUCE: apparmor: fix unix domain sockets to be mediated on connection     - LP: #1208988   * SAUCE: apparmor: allocate path lookup buffers during init     - LP: #1208988   * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy     - LP: #1236455 I've observed a failing of AppArmor policy update with libvirt, qemu and vagrant. vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory. virt-aa-helper should add it but fails. /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, /var/log/libivrt/libvirtd.log: Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 running sudo aa-complain /usr/lib/libvirt/virt-aa-helper solves a problem. After running above command, I get following: /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,   "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,   # don't audit writes to readonly files   deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, virt-aa-helper generates policy rule and reloaded properly. The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:   @{HOME}/** r,   /**.img r, not working and fails update libvirt policy. This behavior is same as #1236455. --- ApportVersion: 2.14.1-0ubuntu3 Architecture: amd64 CurrentDesktop: X-Cinnamon DistroRelease: Ubuntu 14.04 InstallationDate: Installed on 2010-08-15 (1392 days ago) InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429) NonfreeKernelModules: nvidia Package: linux PackageArchitecture: amd64 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=ja_JP.utf8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9 Syslog: Tags: qiana third-party-packages Uname: Linux 3.13.0-24-generic x86_64 UpgradeStatus: Upgraded to qiana on 2014-04-20 (48 days ago) UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner _MarkForUpload: True
2014-06-08 02:33:20 Hiroshi Miura attachment added ApparmorPackages.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127452/+files/ApparmorPackages.txt
2014-06-08 02:33:22 Hiroshi Miura attachment added ApparmorStatusOutput.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127453/+files/ApparmorStatusOutput.txt
2014-06-08 02:33:24 Hiroshi Miura attachment added Dependencies.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127454/+files/Dependencies.txt
2014-06-08 02:33:27 Hiroshi Miura attachment added KernLog.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127455/+files/KernLog.txt
2014-06-08 02:33:29 Hiroshi Miura attachment added PstreeP.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127456/+files/PstreeP.txt
2014-06-08 08:23:22 Hiroshi Miura description Affected on kernel 3.13.0-21.43 and later on Trusty. It may be because 3.13.0-21.43 revert #1236455 fix. linux (3.13.0-21.43) trusty; urgency=low   [ John Johansen ]   * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"   * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"   * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded     policy"   * Revert "SAUCE: apparmor: allocate path lookup buffers during init"   * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on     connection"   * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"   * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot     - LP: #1298611 linux (3.13.0-2.17) trusty; urgency=low   [ John Johansen ]   * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot   * SAUCE: apparmor: fix unix domain sockets to be mediated on connection     - LP: #1208988   * SAUCE: apparmor: allocate path lookup buffers during init     - LP: #1208988   * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy     - LP: #1236455 I've observed a failing of AppArmor policy update with libvirt, qemu and vagrant. vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory. virt-aa-helper should add it but fails. /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, /var/log/libivrt/libvirtd.log: Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 running sudo aa-complain /usr/lib/libvirt/virt-aa-helper solves a problem. After running above command, I get following: /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,   "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,   # don't audit writes to readonly files   deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, virt-aa-helper generates policy rule and reloaded properly. The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:   @{HOME}/** r,   /**.img r, not working and fails update libvirt policy. This behavior is same as #1236455. --- ApportVersion: 2.14.1-0ubuntu3 Architecture: amd64 CurrentDesktop: X-Cinnamon DistroRelease: Ubuntu 14.04 InstallationDate: Installed on 2010-08-15 (1392 days ago) InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429) NonfreeKernelModules: nvidia Package: linux PackageArchitecture: amd64 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=ja_JP.utf8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9 Syslog: Tags: qiana third-party-packages Uname: Linux 3.13.0-24-generic x86_64 UpgradeStatus: Upgraded to qiana on 2014-04-20 (48 days ago) UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner _MarkForUpload: True Affected on kernel 3.13.0-21.43 and later on Trusty. It may be because 3.13.0-21.43 revert #1236455 fix. linux (3.13.0-21.43) trusty; urgency=low   [ John Johansen ]   * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"   * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"   * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded     policy"   * Revert "SAUCE: apparmor: allocate path lookup buffers during init"   * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on     connection"   * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"   * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot     - LP: #1298611 linux (3.13.0-2.17) trusty; urgency=low   [ John Johansen ]   * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot   * SAUCE: apparmor: fix unix domain sockets to be mediated on connection     - LP: #1208988   * SAUCE: apparmor: allocate path lookup buffers during init     - LP: #1208988   * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy     - LP: #1236455 I've observed a failing of AppArmor policy update with libvirt, qemu and vagrant. vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory. virt-aa-helper should add it but fails. /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, /var/log/libivrt/libvirtd.log: Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118 running sudo aa-complain /usr/lib/libvirt/virt-aa-helper solves a problem. After running above command, I get following: /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.   "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,   "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,   "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,   "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,   "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,   # don't audit writes to readonly files   deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r, virt-aa-helper generates policy rule and reloaded properly. The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:   @{HOME}/** r,   /**.img r, not working and fails update libvirt policy. This behavior is same as #1236455. --- ApportVersion: 2.14.1-0ubuntu3 Architecture: amd64 CurrentDesktop: X-Cinnamon DistroRelease: Ubuntu 14.04 InstallationDate: Installed on 2010-08-15 (1392 days ago) InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429) NonfreeKernelModules: nvidia Package: linux PackageArchitecture: amd64 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=ja_JP.utf8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9 Syslog: Tags: qiana third-party-packages Uname: Linux 3.13.0-24-generic x86_64 UpgradeStatus: Upgraded to qiana on 2014-04-20 (48 days ago) UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner _MarkForUpload: True --- ApportVersion: 2.14.1-0ubuntu3.2 Architecture: amd64 CurrentDesktop: X-Cinnamon DistroRelease: Ubuntu 14.04 InstallationDate: Installed on 2010-08-15 (1393 days ago) InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429) NonfreeKernelModules: nvidia Package: linux PackageArchitecture: amd64 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=ja_JP.utf8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9 Syslog: Jun 8 14:16:36 tuna dbus[701]: [system] AppArmor D-Bus mediation is enabled Jun 8 14:23:20 tuna dbus[682]: [system] AppArmor D-Bus mediation is enabled Jun 8 14:27:28 tuna dbus[684]: [system] AppArmor D-Bus mediation is enabled Jun 8 14:30:27 tuna dbus[697]: [system] AppArmor D-Bus mediation is enabled Tags: qiana third-party-packages Uname: Linux 3.13.0-24-generic x86_64 UpgradeStatus: Upgraded to qiana on 2014-04-20 (49 days ago) UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner _MarkForUpload: True
2014-06-08 08:23:24 Hiroshi Miura attachment added ApparmorPackages.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127558/+files/ApparmorPackages.txt
2014-06-08 08:23:26 Hiroshi Miura attachment added ApparmorStatusOutput.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127559/+files/ApparmorStatusOutput.txt
2014-06-08 08:23:29 Hiroshi Miura attachment added Dependencies.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127560/+files/Dependencies.txt
2014-06-08 08:23:32 Hiroshi Miura attachment added KernLog.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127561/+files/KernLog.txt
2014-06-08 08:23:35 Hiroshi Miura attachment added PstreeP.txt https://bugs.launchpad.net/bugs/1327687/+attachment/4127562/+files/PstreeP.txt
2014-06-13 20:59:01 Joseph Salisbury linux (Ubuntu): importance Undecided Medium
2014-10-09 20:25:10 Jamie Strandboge apparmor (Ubuntu): status New Fix Released
2014-10-09 20:25:14 Jamie Strandboge linux (Ubuntu): status Incomplete Fix Released