[libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

intrigeri intrigeri at debian.org
Tue May 19 09:54:31 UTC 2015 

Hi Stefan,

any news on what follows? Now that Ubuntu 15.04 has been released,
perhaps you'll be able to allocate some cycles to it? :)

intrigeri wrote (11 Feb 2015 14:58:54 GMT) :
> Hi Stefan and others,

> Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
>> On 20.10.2014 12:48, Stefan Bader wrote:
>>> On 19.10.2014 17:07, intrigeri wrote:
>>>> Cool, I've tested this. I've imported these two patches in Debian's
>>>> 1.2.9-3 quilt series, made the build system use dh-autoreconf (the
>>>> build system in the tarball wants aclocal 1.13, while Debian sid has
>>>> 1.14), and added a build-dep on libapparmor-dev to get the needed
>>>> pkg-config file.

> I've given a try to your last set of patches. Sorry for the delay.
> Here's what I did:

> 1. Checkout the Vcs-Git libvirt packaging repo for Debian unstable,
>    currently at 1.2.9-9
> 2. Make the build system use dh-autoreconf as previously
> 3. Added the build-dep on libapparmor-dev as previously
> 4. Hacked debian/rules to make examples/apparmor/profile-preprocess
>    (created by your patches) executable before it's executed.
>    This won't be needed anymore once the patches are upstreamed.
> 5. Build in a clean Debian unstable chroot, which now works.
>    Progress :)
> 6. Install the resulting binary packages on a sid system with
>    a working libvirt setup.
> 7. In /etc/libvirt/qemu.conf, set security_driver = "apparmor"
> 8. Restart libvirtd.
> 9. Start a VM with virsh or virt-manager

> => here's what I see:

>   error: Failed to start domain tails-dev
>   error: internal error: cannot load AppArmor profile 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'

> And the Journal says:

>   libvirtd[20351]: internal error: Child process (/usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef) unexpected exit status 1: virt-aa-helper: error: template does not exist
>                    virt-aa-helper: error: could not create profile
>   libvirtd[20351]: internal error: cannot load AppArmor profile 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'

> So I naively tried to do it by hand:

>   $ virsh dumpxml tails-dev | sudo /usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef 
>   virt-aa-helper: error: template does not exist
>   virt-aa-helper: error: could not create profile

> I do have a template in place:

>   $ cat /etc/apparmor.d/libvirt/TEMPLATE.qemu
>   #
>   # This profile is for the domain whose UUID matches this file.
>   #

>   #include <tunables/global>

>   profile LIBVIRT_TEMPLATE {
>     #include <abstractions/libvirt-qemu>
>   }

> What other information can I provide, or what else should I test?

> Also note that I had to add the following line to
> usr.lib.libvirt.virt-aa-helper, in order to silence an AppArmor denial
> log:

>   /etc/libnl-3/classid r,

> Should this be added to the upstream profile, as is or prefixed by
> "deny"?

> Cheers,

-- 
intrigeri

More information about the libvir-list mailing list