AppArmor denies access to /etc/gss/mech.d/
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
We are adding new functionality/tests to Cockpit to integrate VNC/spice consoles (https:/
[ 12.117988] audit: type=1400 audit(149684878
I'm not sure what that is being used for, but I suppose this should either be allowed or explicitly denied to avoid this DENIED alarm bell.
This happens on both 16.04 LTS and 17.04.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu10.10
ProcVersionSign
Uname: Linux 4.4.0-79-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
Date: Wed Jun 7 11:25:37 2017
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
mtime.conffile.
tags: | added: 4.0.0-1ubuntu5 |
Hi Martin,
I'm currently trying to clean up bugs that were missed or got no update.
First I have to beg your pardon for missing it in the first place.
I have run spice sessions without that showing up, so I checked what that actually is about.
In general that directory is to plug configs for the gssapi - see some libvirt ref at [1].
This is enabled since ages, but I haven't heard of any issues. Which either means it works fine or no one is actually using it.
I'd assume your setup has a SASL/GSSAPI configured more than vnc/spice to trigger this.
If you'd have any details on this part of your setup for better reproducibility of the issue, that would be great.
In general sharing a guest xml could help so I can kind of bisect through it if/how to trigger it.
Alternatively it seems only be used when you use the non TLS socket. libvirt. conf or to listen_tls in /etc/libvirt/ libvirtd. conf.
Your bug report states only default networks as modified, but maybe this differs from the env this pops up. Could you could check if you have any changes made to either
/etc/sasl2/
[1]: https:/ /libvirt. org/auth. html#ACL_ server_ kerberos