apparmor prevents libvirt-vnc certificate from being read

Bug #484562 reported by Bryan McLellan
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Jamie Strandboge
Won't Fix
Fix Released
Jamie Strandboge

Bug Description

libvirt + kvm need to be able to read the certificates when using TLS to connect to VNC.

Nov 17 17:08:09 lasvirt01 kernel: [69476.008895] type=1503 audit(1258506489.178:77): operation="open" pid=17104 parent=1 profile="libvirt-600d5dae-6373-107e-5f1b-5010aff3ffed" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/pki/libvirt-vnc/ca-cert.pem"

libvirt 0.7.0-1ubuntu13.1
kvm 1:84+dfsg-0ubuntu16+0.11.0+0ubuntu6.3
apparmor 2.3.1+1403-0ubuntu27.2

Add "/etc/pki/libvirt-vnc/** r," to "/etc/apparmor.d/abstractions/libvirt-qemu"

Tags: apparmor

Related branches

Chuck Short (zulcss)
tags: added: apparmor
Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
milestone: none → karmic-updates
status: New → Triaged
Changed in libvirt (Ubuntu Karmic):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
milestone: none → karmic-updates
status: New → Triaged
Changed in libvirt (Ubuntu Lucid):
milestone: karmic-updates → none
importance: Low → Medium
Changed in libvirt (Ubuntu Lucid):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (6.5 KiB)

This bug was fixed in the package libvirt - 0.7.2-4ubuntu1

libvirt (0.7.2-4ubuntu1) lucid; urgency=low

  * Merge from debian testing. Remaining changes:
    - debian/control:
      + Don't build-depend on QEmu
      + Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables
        to Depends of libvirt-bin
      + Recommends qemu-kvm (>= 0.11.0-0ubuntu6)
      + Add versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg,
        since we used to ship them as such
      + We call libxen-dev libxen3-dev, so change all references
      + Build-Depends on libxml2-utils
      + Build-Depends on open-iscsi-utils instead of open-iscsi due to
        LP: #414986
    - debian/postinst:
      + rename the libvirt group to libvirtd
      + add each admin user to the libvirtd group
    - debian/libvirt-bin.postrm: rename the libvirt group to libvirtd
    - debian/rules: add DEB_MAKE_CHECK_TARGET := check
    - debian/patches/900[0-7]: updated/refreshed for new paths in 0.7.2
    - debian/patches/series: don't apply 0002-qemu-disable-network.diff.patch
    - AppArmor integration:
      + debian/control: Build-Depends on libapparmor-dev and Suggests
        apparmor (>= 2.3+1289-0ubuntu14)
      + debian/libvirt-bin.dirs: add /etc/apparmor.d/abstractions,
        /etc/apparmor.d/force-complain, /etc/apparmor.d/libvirt,
        /etc/cron.daily and /usr/share/apport/package-hooks
      + add debian/libvirt-bin.cron.daily (LP: #438165)
      + add debian/libvirt-bin.apport
      + debian/libvirt-bin.install: install apparmor profiles, abstractions
        and apport hook
      + debian/postinst: reload apparmor profiles
      + debian/libvirt-bin.postrm: remove apparmor symlinks on purge
      + debian/libvirt-bin.preinst: added to force complain on certain
      + debian/README.Debian: add AppArmor section based on the upstream
      + debian/rules: use --with-apparmor and copy apparmor and apport hook to
    - Dropped the following patches now included upstream:
      + 0005-Close-logfile-fd-after-spawning-qemu.patch
      + 9090-reenable-nonfile-labels.patch
      + 9091-apparmor.patch
      + 9092-apparmor-autoreconf.patch
  * AppArmor integration updates:
    - debian/apparmor/usr.sbin.libvirtd: allow libvirtd access to
      /usr/lib/libvirt/* (LP: #480478)
    - debian/apparmor/libvirt-qemu: allow guests access to
      /etc/pki/libvirt-vnc/** (LP: #484562)
    - debian/libvirt-bin.postinst: 0.7.2 moved /usr/bin/virt-aa-helper to
      /usr/lib/libvirt, so the profile changed from usr.bin.virt-aa-helper
      to usr.lib.libvirt.virt-aa-helper and needs to be migrated. If the user
      made no changes to the old profile, remove it, otherwise, update the
      paths, preserving the shipped usr.lib.libvirt.virt-aa-helper
    - update to 0.7.4 version of the sVirt AppArmor driver (can be dropped in
      + debian/patches/9008-apparmor-caps-mockup.patch
      + debian/patches/9009-apparmor-lp453335.patch
      + debian/patches/9010-apparmor-lp460271.patch
      + debian/patches/9011-apparmor-code-cleanups.patch
    - add virt-aa-helper-test and examples/appar...


Changed in libvirt (Ubuntu Lucid):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unmilestoning and unassigning myself for the 9.10 task. I don't have time to prepare/test/floow through on an SRU for this, especially since there is an easy workaround. If someone else is inclined to take the lead on an SRU for this, feel free to do so.

Changed in libvirt (Ubuntu Karmic):
assignee: Jamie Strandboge (jdstrand) → nobody
milestone: karmic-updates → none
Revision history for this message
Rolf Leggewie (r0lf) wrote :

karmic has seen the end of its life and is no longer receiving any updates. Marking the karmic task for this ticket as 'Won't Fix'.

Changed in libvirt (Ubuntu Karmic):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.