kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #65174
[Bug 1327687] Missing required logs.
This bug is missing log files that will aid in diagnosing the problem.
>From a terminal window please run:
apport-collect 1327687
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1327687
Title:
AppArmor Regression #1236455 by #1298611
Status in “apparmor” package in Ubuntu:
New
Status in “linux” package in Ubuntu:
Incomplete
Bug description:
Affected on kernel 3.13.0-21.43 and later on Trusty.
It may be because 3.13.0-21.43 revert #1236455 fix.
linux (3.13.0-21.43) trusty; urgency=low
[ John Johansen ]
* Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
* Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
* Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
policy"
* Revert "SAUCE: apparmor: allocate path lookup buffers during init"
* Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
connection"
* Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
* SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
- LP: #1298611
linux (3.13.0-2.17) trusty; urgency=low
[ John Johansen ]
* SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
* SAUCE: apparmor: fix unix domain sockets to be mediated on connection
- LP: #1208988
* SAUCE: apparmor: allocate path lookup buffers during init
- LP: #1208988
* SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
- LP: #1236455
I've observed a failing of AppArmor policy update with libvirt, qemu
and vagrant.
vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory.
virt-aa-helper should add it but fails.
/etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,
"/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,
"/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
"/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
"/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
"/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
"/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
/var/log/libivrt/libvirtd.log:
Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
running
sudo aa-complain /usr/lib/libvirt/virt-aa-helper
solves a problem. After running above command, I get following:
/etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,
"/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,
"/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
"/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
"/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
"/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
# don't audit writes to readonly files
deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
"/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
"/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
virt-aa-helper generates policy rule and reloaded properly.
The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
@{HOME}/** r,
/**.img r,
not working and fails update libvirt policy.
This behavior is same as #1236455.
---
ApportVersion: 2.14.1-0ubuntu3
Architecture: amd64
CurrentDesktop: X-Cinnamon
DistroRelease: Ubuntu 14.04
InstallationDate: Installed on 2010-08-15 (1392 days ago)
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
NonfreeKernelModules: nvidia
Package: linux
PackageArchitecture: amd64
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=ja_JP.utf8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M
ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
Syslog:
Tags: qiana third-party-packages
Uname: Linux 3.13.0-24-generic x86_64
UpgradeStatus: Upgraded to qiana on 2014-04-20 (48 days ago)
UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner
_MarkForUpload: True
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1327687/+subscriptions