[Bug 1127073] New: /usr/{bin,sbin}/dnsmasq profile name alternation breaks libvirt
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073 Bug ID: 1127073 Summary: /usr/{bin,sbin}/dnsmasq profile name alternation breaks libvirt Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de CC: jfehlig@suse.com, rgoldwyn@suse.com Found By: --- Blocker: --- Got this report by mail: The /usr/{bin,sbin}/dnsmasq profile name alternation that was added in the latest AppArmor releases breaks libvirt: type=AVC msg=audit(1551204355.326:125): apparmor="DENIED" operation="signal" profile="libvirtd" pid=3951 comm="libvirtd" requested_mask="send" denied_mask="send" signal=kill peer="/usr/{bin,sbin}/dnsmasq" type=AVC msg=audit(1551204355.326:126): apparmor="DENIED" operation="signal" profile="/usr/{bin,sbin}/dnsmasq" pid=3951 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=kill peer="libvirtd" The libvirtd profile allows peer=/usr/sbin/dnsmasq and everybody thought that this will also allow the "correct half" of the alternation - but sadly in practise it doesn't work. I'll submit updated packages to Tumbleweed and ask Goldwyn to apply the needed patch to the SLE/Leap 15 package. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073#c1
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073#c3
--- Comment #3 from James Fehlig
SR 679593 sent to Factory.
AFAICT, the only change in that SR is -/usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { +/usr/sbin/dnsmasq flags=(attach_disconnected) { which wasn't enough in my testing on TW where the libvirtd profile is now a named one. I also had to make the following changes to finally allow libvirtd to kill off dnsmasq processes signal (receive) peer=/usr/{bin,sbin}/libvirtd, + signal (receive) peer=libvirtd, ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, + ptrace (readby) peer=libvirtd, BTW, do the those instances of {bin,sbin} also need to be changed to just sbin? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073#c6
--- Comment #6 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073#c10
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073#c14
Goldwyn Rodrigues
Fixed in Tumbleweed.
Goldwyn, what's the status on the SLE 15.x side?
This has been submitted as per comment#12 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073
http://bugzilla.opensuse.org/show_bug.cgi?id=1127073#c15
--- Comment #15 from Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com