apparmor prevents libvirt-vnc certificate from being read

Bug #484562 reported by Bryan McLellan on 2009-11-18
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Medium
Jamie Strandboge
Karmic
Medium
Unassigned
Lucid
Medium
Jamie Strandboge

Bug Description

libvirt + kvm need to be able to read the certificates when using TLS to connect to VNC.

Nov 17 17:08:09 lasvirt01 kernel: [69476.008895] type=1503 audit(1258506489.178:77): operation="open" pid=17104 parent=1 profile="libvirt-600d5dae-6373-107e-5f1b-5010aff3ffed" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/pki/libvirt-vnc/ca-cert.pem"

libvirt 0.7.0-1ubuntu13.1
kvm 1:84+dfsg-0ubuntu16+0.11.0+0ubuntu6.3
apparmor 2.3.1+1403-0ubuntu27.2

Add "/etc/pki/libvirt-vnc/** r," to "/etc/apparmor.d/abstractions/libvirt-qemu"

Related branches

Chuck Short (zulcss) on 2009-11-19
tags: added: apparmor
Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
milestone: none → karmic-updates
status: New → Triaged
Changed in libvirt (Ubuntu Karmic):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
milestone: none → karmic-updates
status: New → Triaged
Changed in libvirt (Ubuntu Lucid):
milestone: karmic-updates → none
importance: Low → Medium
Changed in libvirt (Ubuntu Lucid):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (6.5 KiB)

This bug was fixed in the package libvirt - 0.7.2-4ubuntu1

---------------
libvirt (0.7.2-4ubuntu1) lucid; urgency=low

  * Merge from debian testing. Remaining changes:
    - debian/control:
      + Don't build-depend on QEmu
      + Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables
        to Depends of libvirt-bin
      + Recommends qemu-kvm (>= 0.11.0-0ubuntu6)
      + Add versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg,
        since we used to ship them as such
      + We call libxen-dev libxen3-dev, so change all references
      + Build-Depends on libxml2-utils
      + Build-Depends on open-iscsi-utils instead of open-iscsi due to
        LP: #414986
    - debian/postinst:
      + rename the libvirt group to libvirtd
      + add each admin user to the libvirtd group
    - debian/libvirt-bin.postrm: rename the libvirt group to libvirtd
    - debian/rules: add DEB_MAKE_CHECK_TARGET := check
    - debian/patches/900[0-7]: updated/refreshed for new paths in 0.7.2
    - debian/patches/series: don't apply 0002-qemu-disable-network.diff.patch
    - AppArmor integration:
      + debian/control: Build-Depends on libapparmor-dev and Suggests
        apparmor (>= 2.3+1289-0ubuntu14)
      + debian/libvirt-bin.dirs: add /etc/apparmor.d/abstractions,
        /etc/apparmor.d/force-complain, /etc/apparmor.d/libvirt,
        /etc/cron.daily and /usr/share/apport/package-hooks
      + add debian/libvirt-bin.cron.daily (LP: #438165)
      + add debian/libvirt-bin.apport
      + debian/libvirt-bin.install: install apparmor profiles, abstractions
        and apport hook
      + debian/postinst: reload apparmor profiles
      + debian/libvirt-bin.postrm: remove apparmor symlinks on purge
      + debian/libvirt-bin.preinst: added to force complain on certain
        upgrades
      + debian/README.Debian: add AppArmor section based on the upstream
        documentation
      + debian/rules: use --with-apparmor and copy apparmor and apport hook to
        debian/tmp
    - Dropped the following patches now included upstream:
      + 0005-Close-logfile-fd-after-spawning-qemu.patch
      + 9090-reenable-nonfile-labels.patch
      + 9091-apparmor.patch
      + 9092-apparmor-autoreconf.patch
  * AppArmor integration updates:
    - debian/apparmor/usr.sbin.libvirtd: allow libvirtd access to
      /usr/lib/libvirt/* (LP: #480478)
    - debian/apparmor/libvirt-qemu: allow guests access to
      /etc/pki/libvirt-vnc/** (LP: #484562)
    - debian/libvirt-bin.postinst: 0.7.2 moved /usr/bin/virt-aa-helper to
      /usr/lib/libvirt, so the profile changed from usr.bin.virt-aa-helper
      to usr.lib.libvirt.virt-aa-helper and needs to be migrated. If the user
      made no changes to the old profile, remove it, otherwise, update the
      paths, preserving the shipped usr.lib.libvirt.virt-aa-helper
    - update to 0.7.4 version of the sVirt AppArmor driver (can be dropped in
      0.7.4):
      + debian/patches/9008-apparmor-caps-mockup.patch
      + debian/patches/9009-apparmor-lp453335.patch
      + debian/patches/9010-apparmor-lp460271.patch
      + debian/patches/9011-apparmor-code-cleanups.patch
    - add virt-aa-helper-test and examples/appar...

Read more...

Changed in libvirt (Ubuntu Lucid):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unmilestoning and unassigning myself for the 9.10 task. I don't have time to prepare/test/floow through on an SRU for this, especially since there is an easy workaround. If someone else is inclined to take the lead on an SRU for this, feel free to do so.

Changed in libvirt (Ubuntu Karmic):
assignee: Jamie Strandboge (jdstrand) → nobody
milestone: karmic-updates → none
Revision history for this message
Rolf Leggewie (r0lf) wrote :

karmic has seen the end of its life and is no longer receiving any updates. Marking the karmic task for this ticket as 'Won't Fix'.

Changed in libvirt (Ubuntu Karmic):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers