apparmor disallows qemu+tcp:// connections
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge | ||
Karmic |
Fix Released
|
Low
|
Jamie Strandboge | ||
Lucid |
Fix Released
|
Low
|
Jamie Strandboge |
Bug Description
TEST CASE;
1. adjust /etc/libvirt/
listen_tls = 0
listen_tcp = 1
2. Restart libvirt in listen mode:
$ sudo /etc/init.
$ sudo libvirtd -d --listen
3. see if it worked:
$ virsh -c qemu+tcp:
Please enter your authentication name:
If you are prompted for authentication in step #3, then everything is fine (can't authenticate because we haven't setup sasl).
Currently get the following output from libvirtd in step #2:
14:48:14.916: warning : qemudStartup:521 : Unable to create cgroup for driver: No such device or address
14:48:15.005: warning : lxcStartup:1460 : Unable to create cgroup for driver: No such device or address
14:48:15.017: error : remoteMakeSocke
And in dmesg:
Oct 27 14:48:15 sec-karmic-amd64 kernel: [60424.438021] type=1503 audit(125665489
Oct 27 14:48:15 sec-karmic-amd64 kernel: [60424.438093] type=1503 audit(125665489
Need to add the following to the profile:
network inet6 stream,
network inet6 dgram,
description: | updated |
tags: | added: apparmor |
Changed in libvirt (Ubuntu Karmic): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → Low |
milestone: | none → karmic-updates |
status: | New → In Progress |
Changed in libvirt (Ubuntu Karmic): | |
status: | In Progress → Fix Committed |
Changed in libvirt (Ubuntu Lucid): | |
milestone: | karmic-updates → none |
tags: |
added: verification-done removed: verification-needed |
SRU
Impact: qemu+tcp:// connections no longer work
Bug is addressed in Lucid by adding 'inet dgram6' and 'inet6 stream' to the usr.sbin.libvirtd profile
See description
The regression potential is considered extremely low. It only allows additional access the the profile previously denied.