[opensuse-factory] apparmor, kernel 4.14 and libvirtd
HI! It seems the kernel upgrade needs another modification to apparmor profile(s) for libvirtd: type=VIRT_RESOURCE msg=audit(1511353655.324:343): pid=1528 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=deny vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d2\x2dae\x2ddir\x2ddeb\x2dp1.scope/" class=all exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Ciao, Michael.
Hello, Am Mittwoch, 22. November 2017, 13:30:40 CET schrieb Michael Ströder:
A log line with apparmor="DENIED" would be more useful - do you have one? ;-) Also, please file a bugreport - I'm not sure if Jim reads this ML. Regards, Christian Boltz -- Should you ever feel lonely or be overwhelmed with spare time: you know where to find us. [Dominique Leuenberger in opensuse-project] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/23/2017 06:32 AM, Christian Boltz wrote:
Yes, I do, when I'm not on holidays :-). WRT bugs, there's https://bugzilla.opensuse.org/show_bug.cgi?id=1069562 https://bugzilla.opensuse.org/show_bug.cgi?id=1069903 If you are still seeing the problem with the fix for these bugs, please provide more info from /var/log/audit/audit.log as Christian requested. Regards, Jim -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/27/2017 08:01 AM, Jim Fehlig wrote:
I finally got around to updating my TW machine. Rather than trying kernel 4.14.1, I immediately installed kernel 4.14.2-3.1.gb5596a5 from http://download.opensuse.org/repositories/Kernel:/stable/standard/x86_64/ The only problem I noticed was the following when shutting down a confined VM type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=469 ouid=0 Adding the following rule to the libvirt-qemu abstraction squelches the denial @{PROC}/@{pid}/cmdline r, Christian, do you think that rule is satisfactory? If so, I'll submit it upstream. Thanks! Regards, Jim -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Donnerstag, 30. November 2017, 01:40:30 CET schrieb Jim Fehlig:
I finally got around to updating my TW machine. Rather than trying kernel 4.14.1, I immediately installed kernel 4.14.2-3.1.gb5596a5
Good choice ;-) - 4.14.0 and .1 have a "nice" bug.
Yes, this rule looks correct, so please submit it upstream ;-) Regards, Christian Boltz -- * tigerfoot [sarcastic mode] Didn't we remove *kit from 12.2 ? [/end mode] <simon123> tigerfoot: we will never get rid of *Kit, they will always invent another one :( [from #opensuse-project] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Christian Boltz wrote:
After updating to kernel to 4.14.2 I've tried to add the line @{PROC}/@{pid}/cmdline r, to file /etc/apparmor.d/abstractions/libvirt-qemu but still I get this for virsh destroy <domain-name>: type=AVC msg=audit(1512131425.439:1714): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=6059 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined" Ciao, Michael.
Hello, Am Freitag, 1. Dezember 2017, 13:35:00 CET schrieb Michael Ströder:
Michael Ströder wrote:
Can you please check if you have *.rpmnew files in /etc/apparmor.d/ ? Both events you listed should be covered by the latest /etc/apparmor.d/usr.sbin.libvirtd profile already. Regards, Christian Boltz --
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Christian Boltz -
Jim Fehlig -
Michael Ströder