2014-12-17 21:23:18 |
Dave Chiluk |
bug |
|
|
added bug |
2014-12-17 21:25:50 |
Dave Chiluk |
bug task added |
|
ceph (Juju Charms Collection) |
|
2014-12-17 21:28:27 |
Jamie Strandboge |
libvirt (Ubuntu): status |
New |
Incomplete |
|
2014-12-17 21:31:34 |
Dave Chiluk |
summary |
Apparmor denies libvirt access to a number of important directories. |
Apparmor denies qemu access to a number of important directories. |
|
2014-12-17 21:38:01 |
Dave Chiluk |
attachment added |
|
xml https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283134/+files/xml |
|
2014-12-17 21:45:33 |
Dave Chiluk |
tags |
amd64 apport-bug trusty uec-images |
amd64 apport-bug cts trusty uec-images |
|
2014-12-17 21:49:39 |
Dave Chiluk |
attachment added |
|
xml https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283152/+files/xml |
|
2014-12-17 21:50:52 |
Dave Chiluk |
attachment removed |
xml https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283134/+files/xml |
|
|
2014-12-17 21:51:42 |
Dave Chiluk |
attachment added |
|
xml.txt https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283154/+files/xml.txt |
|
2014-12-17 21:51:46 |
Dave Chiluk |
attachment added |
|
xml.txt https://bugs.launchpad.net/charms/+source/ceph/+bug/1403648/+attachment/4283155/+files/xml.txt |
|
2014-12-17 22:01:16 |
Jamie Strandboge |
libvirt (Ubuntu): status |
Incomplete |
New |
|
2014-12-19 19:20:28 |
Serge Hallyn |
libvirt (Ubuntu): importance |
Undecided |
High |
|
2014-12-19 19:20:47 |
Serge Hallyn |
libvirt (Ubuntu): status |
New |
Confirmed |
|
2015-01-06 16:04:10 |
Serge Hallyn |
nominated for series |
|
Ubuntu Utopic |
|
2015-01-06 16:04:10 |
Serge Hallyn |
bug task added |
|
libvirt (Ubuntu Utopic) |
|
2015-01-06 16:04:10 |
Serge Hallyn |
nominated for series |
|
Ubuntu Trusty |
|
2015-01-06 16:04:10 |
Serge Hallyn |
bug task added |
|
libvirt (Ubuntu Trusty) |
|
2015-01-06 16:29:02 |
Serge Hallyn |
libvirt (Ubuntu Trusty): importance |
Undecided |
High |
|
2015-01-06 16:29:05 |
Serge Hallyn |
libvirt (Ubuntu Utopic): importance |
Undecided |
High |
|
2015-01-06 17:34:21 |
Launchpad Janitor |
libvirt (Ubuntu): status |
Confirmed |
Fix Released |
|
2015-01-07 16:39:21 |
Dave Chiluk |
description |
Apparmor denise libvirt access to a number of important directories.
syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute.
I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether.
It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libvirt-bin 1.2.2-0ubuntu13.1.7
ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6
Uname: Linux 3.13.0-35-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Wed Dec 17 21:15:20 2014
KernLog:
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.libvirt.bin: [modified]
modified.conffile..etc.libvirt.libvirtd.conf: [modified]
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085
mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764 |
[Impact]
* Log files become overloaded with apparmor denials when
[Test Case]
* Launch a qemu instance using libvirt.
* See logged apparmor error in /var/log/syslog
[Regression Potential]
* Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users, and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development.
__________________________________________________________________________
Apparmor denise libvirt access to a number of important directories.
syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute.
I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether.
It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libvirt-bin 1.2.2-0ubuntu13.1.7
ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6
Uname: Linux 3.13.0-35-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Wed Dec 17 21:15:20 2014
KernLog:
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.libvirt.bin: [modified]
modified.conffile..etc.libvirt.libvirtd.conf: [modified]
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085
mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764 |
|
2015-01-07 16:39:40 |
Dave Chiluk |
description |
[Impact]
* Log files become overloaded with apparmor denials when
[Test Case]
* Launch a qemu instance using libvirt.
* See logged apparmor error in /var/log/syslog
[Regression Potential]
* Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users, and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development.
__________________________________________________________________________
Apparmor denise libvirt access to a number of important directories.
syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute.
I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether.
It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libvirt-bin 1.2.2-0ubuntu13.1.7
ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6
Uname: Linux 3.13.0-35-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Wed Dec 17 21:15:20 2014
KernLog:
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.libvirt.bin: [modified]
modified.conffile..etc.libvirt.libvirtd.conf: [modified]
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085
mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764 |
[Impact]
* Log files become overloaded with apparmor denials when
[Test Case]
* Launch a qemu instance using libvirt.
* See logged apparmor error in /var/log/syslog
[Regression Potential]
* Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development.
__________________________________________________________________________
Apparmor denise libvirt access to a number of important directories.
syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute.
I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether.
It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libvirt-bin 1.2.2-0ubuntu13.1.7
ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6
Uname: Linux 3.13.0-35-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Wed Dec 17 21:15:20 2014
KernLog:
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.libvirt.bin: [modified]
modified.conffile..etc.libvirt.libvirtd.conf: [modified]
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085
mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764 |
|
2015-01-07 16:40:24 |
Dave Chiluk |
description |
[Impact]
* Log files become overloaded with apparmor denials when
[Test Case]
* Launch a qemu instance using libvirt.
* See logged apparmor error in /var/log/syslog
[Regression Potential]
* Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development.
__________________________________________________________________________
Apparmor denise libvirt access to a number of important directories.
syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute.
I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether.
It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libvirt-bin 1.2.2-0ubuntu13.1.7
ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6
Uname: Linux 3.13.0-35-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Wed Dec 17 21:15:20 2014
KernLog:
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.libvirt.bin: [modified]
modified.conffile..etc.libvirt.libvirtd.conf: [modified]
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085
mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764 |
[Impact]
* Log files become overloaded with apparmor denials when launching large numbers of qemu virtual machines such as the case in an openstack cloud.
[Test Case]
* Launch a qemu instance using libvirt.
* See logged apparmor error in /var/log/syslog
[Regression Potential]
* Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development.
__________________________________________________________________________
Apparmor denise libvirt access to a number of important directories.
syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(1418404688.659:48): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(1418404689.195:49): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(1418404689.403:50): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(1418404689.467:51): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(1418404689.515:52): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(1418404689.567:53): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(1418404689.635:54): apparmor="DENIED" operation="open" profile="libvirt-64557998-1e6b-43fb-bf6a-7dc9b9c7a660" name="/var/lib/charm/ceph/ceph.conf" pid=23594 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(1418408725.790:56): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/lib/charm/ceph/ceph.conf" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(1418408725.790:57): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(1418408725.790:58): apparmor="DENIED" operation="open" profile="libvirt-c2f29087-8453-4441-a27d-716666fcd7a5" name="/var/tmp/" pid=19293 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute.
I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether.
It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libvirt-bin 1.2.2-0ubuntu13.1.7
ProcVersionSignature: User Name 3.13.0-35.62-generic 3.13.11.6
Uname: Linux 3.13.0-35-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Wed Dec 17 21:15:20 2014
KernLog:
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.libvirt.bin: [modified]
modified.conffile..etc.libvirt.libvirtd.conf: [modified]
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
mtime.conffile..etc.default.libvirt.bin: 2014-12-12T02:21:56.792085
mtime.conffile..etc.libvirt.libvirtd.conf: 2014-12-12T02:21:49.403764 |
|
2015-01-07 17:00:41 |
Serge Hallyn |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2015-01-07 17:51:36 |
Chris J Arges |
libvirt (Ubuntu Trusty): status |
New |
Fix Committed |
|
2015-01-07 17:51:40 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
2015-01-07 17:51:42 |
Chris J Arges |
tags |
amd64 apport-bug cts trusty uec-images |
amd64 apport-bug cts trusty uec-images verification-needed |
|
2015-01-07 17:54:04 |
Chris J Arges |
libvirt (Ubuntu Utopic): status |
New |
Fix Committed |
|
2015-01-14 16:21:08 |
Dave Chiluk |
tags |
amd64 apport-bug cts trusty uec-images verification-needed |
amd64 apport-bug cts trusty uec-images verification-done-trusty verification-needed-utopic |
|
2015-01-14 16:21:26 |
Dave Chiluk |
tags |
amd64 apport-bug cts trusty uec-images verification-done-trusty verification-needed-utopic |
amd64 apport-bug cts trusty uec-images verification-done-trusty verification-needed |
|
2015-01-14 17:00:42 |
Dave Chiluk |
tags |
amd64 apport-bug cts trusty uec-images verification-done-trusty verification-needed |
amd64 apport-bug cts trusty uec-images verification-done-trusty verification-done-utopic verification-needed |
|
2015-01-14 17:00:51 |
Dave Chiluk |
tags |
amd64 apport-bug cts trusty uec-images verification-done-trusty verification-done-utopic verification-needed |
amd64 apport-bug cts trusty uec-images verification-done verification-done-trusty verification-done-utopic |
|
2015-01-14 17:22:03 |
Dave Chiluk |
libvirt (Ubuntu Trusty): assignee |
|
Dave Chiluk (chiluk) |
|
2015-01-14 17:22:05 |
Dave Chiluk |
libvirt (Ubuntu Utopic): assignee |
|
Dave Chiluk (chiluk) |
|
2015-01-14 17:22:11 |
Dave Chiluk |
libvirt (Ubuntu): assignee |
|
Dave Chiluk (chiluk) |
|
2015-01-14 17:22:15 |
Dave Chiluk |
ceph (Juju Charms Collection): status |
New |
Incomplete |
|
2015-01-14 17:22:22 |
Dave Chiluk |
ceph (Juju Charms Collection): status |
Incomplete |
Invalid |
|
2015-01-14 17:22:32 |
Dave Chiluk |
bug task deleted |
ceph (Juju Charms Collection) |
|
|
2015-01-29 18:46:32 |
Launchpad Janitor |
libvirt (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2015-01-29 18:46:48 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2015-01-30 08:21:44 |
Ante Karamatić |
libvirt (Ubuntu Trusty): status |
Fix Released |
Confirmed |
|
2015-01-30 08:21:49 |
Ante Karamatić |
libvirt (Ubuntu): status |
Fix Released |
Confirmed |
|
2015-01-30 08:21:55 |
Ante Karamatić |
libvirt (Ubuntu Utopic): status |
Fix Committed |
Confirmed |
|
2015-01-30 09:01:37 |
Yoshi Kadokawa |
bug |
|
|
added subscriber Yoshi Kadokawa |
2015-01-30 10:21:44 |
Launchpad Janitor |
libvirt (Ubuntu): status |
Confirmed |
Fix Released |
|
2015-01-30 18:54:11 |
Dave Chiluk |
libvirt (Ubuntu Trusty): status |
Confirmed |
Fix Released |
|
2015-01-30 18:54:22 |
Dave Chiluk |
libvirt (Ubuntu Utopic): status |
Confirmed |
Fix Released |
|