Missing entries in libvirt-qemu AppArmor profile

Bug #901272 reported by Louis Bouchard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Undecided
Unassigned

Bug Description

Description: Ubuntu 11.10
Release : 11.10

When setting up VncTLS according to the official Libvirt documentation, only one certificate for libvirt/libvirt-vnc is used. The document indicates to use the following directories :

 /etc/pki/CA
 /etc/pki/libvirt
 /etc/pki/libvirt/private

in order to manage the certificates used by libvirt-vnc.

This is the document that talks about it : http://wiki.libvirt.org/page/VNCTLSSetup

These directories should be added to the libvirt AppArmor profile provided by Ubuntu.

Reproducible: 100%

Workaround:

Manually modify the /etc/apparmor.d/abstractions/libvirt-qemu profile

Business concern:

This would affect anybody trying to use the official documentation to enable qemu-vnc

Request:

Modify the libvirt-qemu profile

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libvirt-bin-0.9.2-4ubuntu15.1
Uname: Linux 3.0.0-13-server x86_64
Architecture: N/A

Related branches

Louis Bouchard (louis)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for your report. Does adding the following to /etc/apparmor.d/abstractions/libvirt-qemu fix the issue for you:
  /etc/pki/CA/ r,
  /etc/pki/CA/* r,
  /etc/pki/libvirt/ r,
  /etc/pki/libvirt/* r
  /etc/pki/libvirt/private/ r,
  /etc/pki/libvirt/private/* r,

Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, this might be simpler:
  /etc/pki/CA/ r,
  /etc/pki/CA/* r,
  /etc/pki/libvirt/ r,
  /etc/pki/libvirt/** r,

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

/etc/pki/libvirt/** r, # this assumes there is nothing else in /etc/pki/libvirt besides the files needed by qemu

Revision history for this message
Poil (poil) wrote :

Adding "/etc/pki/CA/* r, /etc/pki/libvirt/** r," is OK for me.

best regards

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks. It is not ideal that we have /etc/pki/libvirt/** since all VMs have read access to each other's pki files, but unless we have svirt support for the different pki files, this is good enough.

Changed in libvirt (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: Incomplete → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.7-2ubuntu8

---------------
libvirt (0.9.7-2ubuntu8) precise; urgency=low

  * debian/apparmor/libvirt-qemu: add /etc/pki/CA/* and /etc/pki/libvirt/**
    (LP: #901272)
 -- Serge Hallyn <email address hidden> Wed, 04 Jan 2012 13:18:50 -0600

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers