[libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Wed May 20 10:11:45 UTC 2015

On 19.05.2015 11:54, intrigeri wrote:
> Hi Stefan,
> 
> any news on what follows? Now that Ubuntu 15.04 has been released,
> perhaps you'll be able to allocate some cycles to it? :)

Hm was there not something which I was waiting for feedback from you? Though I
forgot what exactly that was. And after release is before release, the treadmill
never stops... ;-P
Since I lost most context by now, I will try to find my most recent proposal
again and try to get it moved into present state of packages.

-Stefan

> 
> intrigeri wrote (11 Feb 2015 14:58:54 GMT) :
>> Hi Stefan and others,
> 
>> Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
>>> On 20.10.2014 12:48, Stefan Bader wrote:
>>>> On 19.10.2014 17:07, intrigeri wrote:
>>>>> Cool, I've tested this. I've imported these two patches in Debian's
>>>>> 1.2.9-3 quilt series, made the build system use dh-autoreconf (the
>>>>> build system in the tarball wants aclocal 1.13, while Debian sid has
>>>>> 1.14), and added a build-dep on libapparmor-dev to get the needed
>>>>> pkg-config file.
> 
>> I've given a try to your last set of patches. Sorry for the delay.
>> Here's what I did:
> 
>> 1. Checkout the Vcs-Git libvirt packaging repo for Debian unstable,
>>    currently at 1.2.9-9
>> 2. Make the build system use dh-autoreconf as previously
>> 3. Added the build-dep on libapparmor-dev as previously
>> 4. Hacked debian/rules to make examples/apparmor/profile-preprocess
>>    (created by your patches) executable before it's executed.
>>    This won't be needed anymore once the patches are upstreamed.
>> 5. Build in a clean Debian unstable chroot, which now works.
>>    Progress :)
>> 6. Install the resulting binary packages on a sid system with
>>    a working libvirt setup.
>> 7. In /etc/libvirt/qemu.conf, set security_driver = "apparmor"
>> 8. Restart libvirtd.
>> 9. Start a VM with virsh or virt-manager
> 
>> => here's what I see:
> 
>>   error: Failed to start domain tails-dev
>>   error: internal error: cannot load AppArmor profile 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'
> 
>> And the Journal says:
> 
>>   libvirtd[20351]: internal error: Child process (/usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef) unexpected exit status 1: virt-aa-helper: error: template does not exist
>>                    virt-aa-helper: error: could not create profile
>>   libvirtd[20351]: internal error: cannot load AppArmor profile 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'
> 
>> So I naively tried to do it by hand:
> 
>>   $ virsh dumpxml tails-dev | sudo /usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef 
>>   virt-aa-helper: error: template does not exist
>>   virt-aa-helper: error: could not create profile
> 
>> I do have a template in place:
> 
>>   $ cat /etc/apparmor.d/libvirt/TEMPLATE.qemu
>>   #
>>   # This profile is for the domain whose UUID matches this file.
>>   #
> 
>>   #include <tunables/global>
> 
>>   profile LIBVIRT_TEMPLATE {
>>     #include <abstractions/libvirt-qemu>
>>   }
> 
>> What other information can I provide, or what else should I test?
> 
>> Also note that I had to add the following line to
>> usr.lib.libvirt.virt-aa-helper, in order to silence an AppArmor denial
>> log:
> 
>>   /etc/libnl-3/classid r,
> 
>> Should this be added to the upstream profile, as is or prefixed by
>> "deny"?
> 
>> Cheers,
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150520/eed95d87/attachment-0001.sig>