On 2016-10-24 11:08 AM, ChristianEhrhardt wrote:
> Hi,
> unfortunately after a reboot of my host my local reproducibility is gone :-/
>
> I don't know if you could, but would like to ask if one of you think you can verify that in Yakkety or Zesty.
> The way the apparmor rules get created changed in >=Yakkety and since we have to start with the devel releases that is the place to go for the first verification.
> Still Y&Z are widely the same, so I build for both in a ppa.
>
> I build the suggested fix (along another one) in https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550/+packages.
> It would be great of one of you could test it there.
Thanks for providing this testing PPA. I was able to test the Yakkety
version of your package. With it, I get the following Apparmor messages
(also attached here):
On 2016-10-24 11:08 AM, ChristianEhrhardt wrote: /launchpad. net/~paelzer/ +archive/ ubuntu/ libvirt- bug-1546674- 1615550/ +packages.
> Hi,
> unfortunately after a reboot of my host my local reproducibility is gone :-/
>
> I don't know if you could, but would like to ask if one of you think you can verify that in Yakkety or Zesty.
> The way the apparmor rules get created changed in >=Yakkety and since we have to start with the devel releases that is the place to go for the first verification.
> Still Y&Z are widely the same, so I build for both in a ppa.
>
> I build the suggested fix (along another one) in https:/
> It would be great of one of you could test it there.
Thanks for providing this testing PPA. I was able to test the Yakkety
version of your package. With it, I get the following Apparmor messages
(also attached here):
apparmor="DENIED" operation="open" "/usr/lib/ libvirt/ virt-aa- helper" name="/dev/zd0" pid=3357 aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 "libvirt- UUID" proc/3374/ task/3391/ comm" pid=3374 comm="qemu- system- x86" "libvirt- UUID" proc/3374/ task/3414/ comm" pid=3413 comm="qemu- system- x86"
profile=
comm="virt-
apparmor="DENIED" operation="open" profile=
name="/
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
...
apparmor="DENIED" operation="open" profile=
name="/
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
So while the /dev/zd0 denial was expected, the /proc/$ pid/task/ $pid/comm
ones were not. To address those, I applied the patch attached.