[Bug 1173749] New: spice-vdagentd.service not enabled by default
https://bugzilla.suse.com/show_bug.cgi?id=1173749 Bug ID: 1173749 Summary: spice-vdagentd.service not enabled by default Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: meissner@suse.com Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de CC: jsegitz@suse.com, lnussel@suse.com, meissner@suse.com Found By: --- Blocker: --- spice-vdagent is installed by default due to a modalias supplements on virtio. The systemd preset has spice-vdagentd.service disabled, which means that it does not work OOTB. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173749
Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c1
Fabian Vogt
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c2
Matthias Gerstner
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c3
--- Comment #3 from Matthias Gerstner
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c4
--- Comment #4 from Fabian Vogt
systemd services do not require a security review per se. Adding a systemd service to the systemd presets to have it started automatically does require a review, however.
The notion behind that is that we want to keep the default security on a high level. systemd services can for example be installed implicitly as dependencies of other packages. We usually don't want them to start up right away. It should be a conscious user decision to do so.
The udev rule starts the service, so effectively the service is automatically started, but only if the rule matches. That's why I'm asking whether an audit is required for that as well. (In reply to Matthias Gerstner from comment #3)
So are there any news here? Do you still needs this?
If no audit is neccessary, only the systemd bug remains, so feel free to reassign. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c5
--- Comment #5 from Matthias Gerstner
The udev rule starts the service, so effectively the service is automatically started, but only if the rule matches. That's why I'm asking whether an audit is required for that as well.
Is there a reason why the rule shouldn't match? It shows that we have a loophole in our security restrictions. udev rules can circumvent our systemd autostart restrictions. So maybe we should review this service here after all.
If no audit is neccessary, only the systemd bug remains, so feel free to reassign.
What do you mean by "the systemd bug"? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c6
--- Comment #6 from Fabian Vogt
(In reply to fvogt@suse.com from comment #4)
The udev rule starts the service, so effectively the service is automatically started, but only if the rule matches. That's why I'm asking whether an audit is required for that as well.
Is there a reason why the rule shouldn't match?
The service is for connecting to QEMU, so it only works if it's running in a VM with the appropriate guest device enabled.
It shows that we have a loophole in our security restrictions. udev rules can circumvent our systemd autostart restrictions. So maybe we should review this service here after all.
If no audit is neccessary, only the systemd bug remains, so feel free to reassign.
What do you mean by "the systemd bug"?
See comment 1. The udev rule has ENV{SYSTEMD_WANTS}="spice-vdagentd.socket" but the .socket unit is stopped on "systemctl isolate", even though the device (and therefore the wants relationship) is still there. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c7
--- Comment #7 from Matthias Gerstner
Is there a reason why the rule shouldn't match?
The service is for connecting to QEMU, so it only works if it's running in a VM with the appropriate guest device enabled.
Does it help to enable the service when the device is not enabled?
See comment 1. The udev rule has ENV{SYSTEMD_WANTS}="spice-vdagentd.socket" but the .socket unit is stopped on "systemctl isolate", even though the device (and therefore the wants relationship) is still there.
Is this actually a systemd bug / something that systemd is likely to fix in the sense of this bug here? After a review we can add this service to the systemd presets. Hopefully there won't be any side effects ... the package is not installed by default, I hope, so for users not needing this nothing should change. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c8
--- Comment #8 from Fabian Vogt
(In reply to fvogt@suse.com from comment #6)
Is there a reason why the rule shouldn't match?
The service is for connecting to QEMU, so it only works if it's running in a VM with the appropriate guest device enabled.
Does it help to enable the service when the device is not enabled?
It would most likely just fail immediately.
See comment 1. The udev rule has ENV{SYSTEMD_WANTS}="spice-vdagentd.socket" but the .socket unit is stopped on "systemctl isolate", even though the device (and therefore the wants relationship) is still there.
Is this actually a systemd bug / something that systemd is likely to fix in the sense of this bug here?
I hope so, we'll see.
After a review we can add this service to the systemd presets. Hopefully there won't be any side effects ... the package is not installed by default, I hope, so for users not needing this nothing should change.
Yes, but I don't think that adding it to the preset is the right way actually. The udev rule is the right approach, just hits some corner cases... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c9
--- Comment #9 from Matthias Gerstner
Yes, but I don't think that adding it to the preset is the right way actually. The udev rule is the right approach, just hits some corner cases...
Okay then I suggest we keep this bug open for review. And you can create a split-off bug for systemd folks to address the separate issue of the `isolate` behaviour. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c10
Fabian Vogt
(In reply to fvogt@suse.com from comment #8)
Yes, but I don't think that adding it to the preset is the right way actually. The udev rule is the right approach, just hits some corner cases...
Okay then I suggest we keep this bug open for review. And you can create a split-off bug for systemd folks to address the separate issue of the `isolate` behaviour.
Done: bug 1175822 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173749
https://bugzilla.suse.com/show_bug.cgi?id=1173749#c11
Matthias Gerstner
participants (1)
-
bugzilla_noreply@suse.com