Ubuntu
apparmor package

dnsmasq profile doesn't work with libvirt

Bug #697239 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Ubuntu natty-alpha-3

Bug Description

Binary package hint: apparmor

Using the usr.sbin.dnsmasq profile from apparmor-profiles with libvirt 0.8.5-0ubuntu4 in natty results in:

type=AVC msg=audit(1294150411.482:27): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/dnsmasq" name="/var/run/libvirt/network/default.pid" pid=2319 comm="dnsmasq" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

The following should be added to the dnsmasq profile:
  /var/run/libvirt/network/ r,
  /var/run/libvirt/network/*.pid rw,

Also need to add capability net_admin. NET_ADMIN is required for using as a DHCP server. capability net_raw and 'network inet raw' are also needed for ICMP ping checks when used as a DHCP server. See the FAQ in the dnsmasq source for details.

See original description
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → natty-alpha-2
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
milestone: natty-alpha-2 → natty-alpha-3
Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote : Re: [Bug 697239] Re: dnsmasq profile doesn't work with libvirt

On Tue, Jan 04, 2011 at 07:03:41PM -0000, Jamie Strandboge wrote:
> + Also need to add capability net_admin. NET_ADMIN is required for using
> + as a DHCP server. May need to add net_raw later for ICMP ping checks.
> + See the FAQ in the dnsmasq source for details.

I haven't seemed to need net_raw when using dnsmasq as a dhcp server;
however, when enabling the tftpd server functionality, I did need to add
the net_bind_service capability.

Also for supporting the latter, a tunable/dnsmasq containing a definition
for @{TFTPROOT} and adding:

  @{TFTPROOT}/ r,
  @{TFTPROOT}/** r,

may be useful.

If the default configuration file is to be believed, the default
tftp-root is /var/ftpd (I use a non-standard location locally).

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Based on the FAQ, you won't need net_raw if you use --no-ping, but I needed it here when firing up several VMs. I wonder if dnsmasq only pings if the client seems slow? In launching 5 VMs (dapper - maverick), I only got one net_raw denial.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6~devel+bzr1617-0ubuntu1

---------------
apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low

  * Merge with upstream bzr revision 1617. Closes the following bugs:
    - LP: #692406: temporarily disable the defunct repository until an
      alternative can be used
    - LP: #649497: add ibus abstraction
    - LP: #652562: allow 'rw' to /var/log/samba/cores/
    - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules
  * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.*
    (LP: #692866)
  * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch
    and adjust debian/patches/series
  * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239):
    - allow read and write access to libvirt pid files for dnsmasq
    - allow net_admin capability for DHCP server
    - allow net_raw and network inet raw for ICMP pings when used as a DHCP
      server
  * debian/patches/0004-lp698194 (LP: #698194):
    - abstractions/private-files: don't allow wl to autostart directories
    - abstractions/private-files-strict: don't allow access to chromium,
      kwallet and popular mail clients
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 12:44:26 -0600

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.