dnsmasq profile doesn't work with libvirt

Bug #697239 reported by Jamie Strandboge on 2011-01-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Jamie Strandboge

Bug Description

Binary package hint: apparmor

Using the usr.sbin.dnsmasq profile from apparmor-profiles with libvirt 0.8.5-0ubuntu4 in natty results in:

type=AVC msg=audit(1294150411.482:27): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/dnsmasq" name="/var/run/libvirt/network/default.pid" pid=2319 comm="dnsmasq" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

The following should be added to the dnsmasq profile:
  /var/run/libvirt/network/ r,
  /var/run/libvirt/network/*.pid rw,

Also need to add capability net_admin. NET_ADMIN is required for using as a DHCP server. capability net_raw and 'network inet raw' are also needed for ICMP ping checks when used as a DHCP server. See the FAQ in the dnsmasq source for details.

Changed in apparmor (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → natty-alpha-2
status: In Progress → Fix Committed
Changed in apparmor (Ubuntu):
milestone: natty-alpha-2 → natty-alpha-3
description: updated

On Tue, Jan 04, 2011 at 07:03:41PM -0000, Jamie Strandboge wrote:
> + Also need to add capability net_admin. NET_ADMIN is required for using
> + as a DHCP server. May need to add net_raw later for ICMP ping checks.
> + See the FAQ in the dnsmasq source for details.

I haven't seemed to need net_raw when using dnsmasq as a dhcp server;
however, when enabling the tftpd server functionality, I did need to add
the net_bind_service capability.

Also for supporting the latter, a tunable/dnsmasq containing a definition
for @{TFTPROOT} and adding:

  @{TFTPROOT}/ r,
  @{TFTPROOT}/** r,

may be useful.

If the default configuration file is to be believed, the default
tftp-root is /var/ftpd (I use a non-standard location locally).

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

description: updated
Jamie Strandboge (jdstrand) wrote :

Based on the FAQ, you won't need net_raw if you use --no-ping, but I needed it here when firing up several VMs. I wonder if dnsmasq only pings if the client seems slow? In launching 5 VMs (dapper - maverick), I only got one net_raw denial.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6~devel+bzr1617-0ubuntu1

---------------
apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low

  * Merge with upstream bzr revision 1617. Closes the following bugs:
    - LP: #692406: temporarily disable the defunct repository until an
      alternative can be used
    - LP: #649497: add ibus abstraction
    - LP: #652562: allow 'rw' to /var/log/samba/cores/
    - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules
  * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.*
    (LP: #692866)
  * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch
    and adjust debian/patches/series
  * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239):
    - allow read and write access to libvirt pid files for dnsmasq
    - allow net_admin capability for DHCP server
    - allow net_raw and network inet raw for ICMP pings when used as a DHCP
      server
  * debian/patches/0004-lp698194 (LP: #698194):
    - abstractions/private-files: don't allow wl to autostart directories
    - abstractions/private-files-strict: don't allow access to chromium,
      kwallet and popular mail clients
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 12:44:26 -0600

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers