[Bug 880426] New: libvirt-daemon: AppArmor profile template includes non-existing file
https://bugzilla.novell.com/show_bug.cgi?id=880426 https://bugzilla.novell.com/show_bug.cgi?id=880426#c0 Summary: libvirt-daemon: AppArmor profile template includes non-existing file Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: openSUSE 13.2 Status: NEW Severity: Major Priority: P5 - None Component: AppArmor AssignedTo: jfehlig@suse.com ReportedBy: suse-beta@cboltz.de QAContact: qa-bugs@suse.de Found By: Beta-Customer Blocker: --- /etc/apparmor.d/libvirt/TEMPLATE contains: ... profile LIBVIRT_TEMPLATE { #include <abstractions/libvirt-driver> } abstractions/libvirt-driver doesn't exist (at least on my system) - only abstractions/libvirt-lxc and abstractions/libvirt-qemu. Are you sure the TEMPLATE profile is correct? Or is there "just" a missing Requires: in the libvirt-daemon package? To make things worse, this also breaks aa-logprof of AppArmor 2.8.x (and older): # aa-logprof Can't find include file abstractions/libvirt-driver: No such file or directory -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=880426 https://bugzilla.novell.com/show_bug.cgi?id=880426#c1 James Fehlig <jfehlig@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jfehlig@suse.com AssignedTo|jfehlig@suse.com |cbosdonnat@suse.com QAContact|qa-bugs@suse.de |jdouglas@suse.com --- Comment #1 from James Fehlig <jfehlig@suse.com> 2014-05-29 17:42:18 UTC --- Cedric, the change to TEMPLATE was made by commit 43c030f0, but the libvirt-driver abstraction is not included or installed by that patch. Can you provide a follow-up fix? Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=880426 https://bugzilla.novell.com/show_bug.cgi?id=880426#c2 --- Comment #2 from James Fehlig <jfehlig@suse.com> 2014-05-29 17:42:57 UTC --- Note: bug applies to SLE12 as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=880426 https://bugzilla.novell.com/show_bug.cgi?id=880426#c3 --- Comment #3 from Cédric Bosdonnat <cbosdonnat@suse.com> 2014-06-02 07:17:54 UTC --- Hum, it's a bad replacement problem. I'll fix that today -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=880426 https://bugzilla.novell.com/show_bug.cgi?id=880426#c4 Cédric Bosdonnat <cbosdonnat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |suse-beta@cboltz.de --- Comment #4 from Cédric Bosdonnat <cbosdonnat@suse.com> 2014-06-02 08:29:23 UTC --- After some code re-checking and debugging, it all work properly... Did you try getting it work for real using <seclabel model="apparmor" type="dynamic"/> on a container? FYI, this file is only a template file and is never used as is. The replacement for the actual driver abstraction file is made here: http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/security/virt-aa-helper.c... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=880426 https://bugzilla.novell.com/show_bug.cgi?id=880426#c5 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|suse-beta@cboltz.de | --- Comment #5 from Christian Boltz <suse-beta@cboltz.de> 2014-08-19 23:10:04 CEST --- (In reply to comment #4)
After some code re-checking and debugging, it all work properly... Did you try getting it work for real using <seclabel model="apparmor" type="dynamic"/> on a container?
No, I don't use libvirt etc. at all ;-) - I just noticed that the file contains #include <abstractions/libvirt-driver> which doesn't exist and breaks aa-logprof from AppArmor 2.8.x.
FYI, this file is only a template file and is never used as is.
Nevertheless it would be a good idea to change it so that it contains only #include lines for existing files. Hint: that's much easier than fixing the perl aa-logprof ;-) FYI: the perl-based aa-logprof is deprecated upstream, which also means the chance to get this fixed isn't too good (but patches will be accepted ;-) The AppArmor 2.9 tools were rewritten to python - and silently ignore /etc/apparmor.d/libvirt/TEMPLATE :-) (probably because it's not in abstractions/ and not included in any of my profiles) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=880426 https://bugzilla.novell.com/show_bug.cgi?id=880426#c6 Cédric Bosdonnat <cbosdonnat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #6 from Cédric Bosdonnat <cbosdonnat@suse.com> 2014-08-26 13:47:00 UTC --- This has been fixed by splitting the TEMPLATE into TEMPLATE.lxc and TEMPLATE.qemu in libvirt 1.2.7. Those files are respectively including abstractions/libvirt-lxc and abstractions/libvirt-qemu which are existing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com