https://bugzilla.novell.com/show_bug.cgi?id=694197 https://bugzilla.novell.com/show_bug.cgi?id=694197#c2 Stefan Seyfried changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|seife@novell.slipkontur.de | --- Comment #2 from Stefan Seyfried 2011-06-10 11:39:08 CEST --- No, this is plain FACTORY libvirt. Normal dnsmasq is working fine, just the libvirt dnsmasq instance is not allowed to write its configuration. Maybe libvirt should include an apparmor rule that allows dnsmasq to write in /var/lib/libvirt/* Normally, dnsmasq does not need that, so the normal dnsmasq rule should probably not allow it. Unfortunately I have absolutely no idea on how apparmor works or how to create rules (and I'm not really interested in learning that), or I would have tried to fix it myself. For now,"zypper rm libapparmor1" is an appropriate solution for me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=694197 https://bugzilla.novell.com/show_bug.cgi?id=694197#c Christoph Thiel changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jeffm@novell.com |ug@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=694197 https://bugzilla.novell.com/show_bug.cgi?id=694197#c5 --- Comment #5 from Christoph Thiel 2011-06-10 14:26:33 UTC --- IIUC, we already have the fix that is proposed in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/697239 in our package. This is actually an additional issue. However, from looking at https://launchpadlibrarian.net/61872823/apparmor_2.6~devel%2Bbzr1617-0ubuntu... I found an interesting aspect. At the end of each profile, Ubuntu does something like this: # Site-specific additions and overrides. See local/README for details. #include I'm not sure what happens, if the file is not available. But it would be a way for us to include additional config for e.g. OpenStack in a different file and ship dnsmasq with an include line for it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=694197 https://bugzilla.novell.com/show_bug.cgi?id=694197#c7 James Fehlig changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jdouglas@novell.com, | |jeffm@novell.com --- Comment #7 from James Fehlig 2011-08-18 18:42:49 UTC --- FYI, https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/815883 I've added /var/lib/libvirt/dnsmasq/*.leases to existing apparmor-profiles-usr.sbin.dnsmasq patch and submitted to security:apparmor:factory, SR#79263. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=694197 https://bugzilla.novell.com/show_bug.cgi?id=694197#c9 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #9 from Christian Boltz 2011-08-21 15:00:11 CEST --- For the records: The rule for *.leases is included in AppArmor 2.7 beta1. (In reply to comment #8)

Hmm, I was considering building the libvirt apparmor security driver for openSUSE. It was requested for SLE11 SP2 so I've enabled and tested it there, but hesitated for openSUSE since I was under the impression that the community wasn't too keen on apparmor. Seems I was right and should continue disabling the libvirt apparmor driver. I've never had any bugs or requests for it in openSUSE.

My guess is that most users don't even know about the libvirt apparmor support ;-) If I get http://libvirt.org/drvqemu.html#securitysvirtaa right, libvirt has two sets of protection: a) protection of the host vs. all guests - that's what openSUSE currently has b) protection between guests - that's only possible with the libvirt apparmor support enabled I have to admit I don't really use virtualization, but I'd vote to enable apparmor support in libvirt. The reason is simple - protection between guests sounds very useful to me. Additionally: If someone doesn't like protection between guests (which would be a strange wish IMHO), he can easily disable it with a config option (security_driver="none" in /etc/libvirt/qemu.conf). OTOH, if libvirt is built without apparmor support, it probably needs to be recompiled to enable this feature. That's a lot more work compared to editing a config file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=694197 https://bugzilla.novell.com/show_bug.cgi?id=694197#c11 --- Comment #11 from Stefan Seyfried 2011-09-10 11:12:04 CEST --- The virt-network now works with the current apparmor/libvirt/dnsmasq packages from FACTORY. However, as this bug has slightly diverged from the original topic, I'll leave it to someone else to decide if it should be closed as fixed. For me it is :-) Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=694197 https://bugzilla.novell.com/show_bug.cgi?id=694197#c13 --- Comment #13 from Bernhard Wiedemann 2011-09-13 22:00:10 CEST --- This is an autogenerated message for OBS integration: This bug (694197) was mentioned in https://build.opensuse.org/request/show/82043 Factory / apparmor https://build.opensuse.org/request/show/82045 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.