Bug#875732: marked as done (libvirt-daemon-system: Create vm from iso in gnome-boxes fails: apparmor profile denies)

Debian Bug Tracking System Thu, 14 Sep 2017 06:58:00 -0700

Your message dated Thu, 14 Sep 2017 15:53:43 +0200
with message-id <[email protected]>
and subject line Re: [Pkg-libvirt-maintainers] Bug#875732: 
libvirt-daemon-system: Create vm from iso in gnome-boxes fails: apparmor 
profile denies
has caused the Debian Bug report #875732,
regarding libvirt-daemon-system: Create vm from iso in gnome-boxes fails: 
apparmor profile denies
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
875732: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875732
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libvirt-daemon-system
Version: 3.6.0-1
Severity: normal

Hi,

the virt-aa-helper apparmor profile shipped with libvirt-daemon-system
prevents gnome-boxes to access .local, and so to boot new vm created
from iso or imported.

type=AVC msg=audit(1505371989.794:47034): apparmor="DENIED"
operation="open" profile="virt-aa-helper"
name="/home/nodens/.local/share/gnome-boxes/images/boxes-unknown"
pid=13982 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000


I guess the profile should be updated to allow gnome-box to access it's
own .local directory. However I'm not sure about the best way to do it:
allowing access to .local/share/gnome-boxes when virt-aa-helper isn't
launched by boxes seems wrong.

Cheers,

nodens

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), 
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvirt-daemon-system depends on:
ii  adduser              3.115
ii  debconf              1.5.63
ii  gettext-base         0.19.8.1-2+b1
ii  init-system-helpers  1.49
ii  iptables             1.6.1-2
ii  libapparmor1         2.11.0-10
ii  libaudit1            1:2.7.7-1+b2
ii  libblkid1            2.29.2-2
ii  libc6                2.24-14
ii  libcap-ng0           0.7.7-3+b1
ii  libdbus-1-3          1.11.16+really1.10.22-1
ii  libdevmapper1.02.1   2:1.02.137-2+b1
ii  libnl-3-200          3.2.27-2
ii  libnl-route-3-200    3.2.27-2
ii  libnuma1             2.0.11-2.1
ii  libselinux1          2.6-3+b2
ii  libvirt-clients      3.6.0-1
ii  libvirt-daemon       3.6.0-1
ii  libvirt0             3.6.0-1
ii  libxml2              2.9.4+dfsg1-3
ii  libyajl2             2.1.0-2+b3
ii  logrotate            3.11.0-0.1
ii  lsb-base             9.20161125
ii  policykit-1          0.105-18

Versions of packages libvirt-daemon-system recommends:
ii  bridge-utils  1.5-14
ii  dmidecode     3.1-1
ii  dnsmasq-base  2.77-2
ii  ebtables      2.0.10.4-3.5+b1
ii  iproute2      4.9.0-1
ii  parted        3.2-17

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    2.11.0-10
ii  auditd      1:2.7.7-1+b2
ii  nfs-common  1:1.3.4-2.1+b1
ii  pm-utils    1.4.1-17
pn  radvd       <none>
ii  systemd     234-2
pn  systemtap   <none>
pn  zfsutils    <none>

-- Configuration Files:
/etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/allow-arp.xml'
/etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/allow-dhcp-server.xml'
/etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/allow-dhcp.xml'
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Permission non 
accordée: '/etc/libvirt/nwfilter/allow-incoming-ipv4.xml'
/etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/allow-ipv4.xml'
/etc/libvirt/nwfilter/clean-traffic.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/clean-traffic.xml'
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml [Errno 13] Permission non 
accordée: '/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml [Errno 13] Permission non 
accordée: '/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-spoofing.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/no-arp-spoofing.xml'
/etc/libvirt/nwfilter/no-ip-multicast.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/no-ip-multicast.xml'
/etc/libvirt/nwfilter/no-ip-spoofing.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/no-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-mac-broadcast.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/no-mac-broadcast.xml'
/etc/libvirt/nwfilter/no-mac-spoofing.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/nwfilter/no-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-other-l2-traffic.xml [Errno 13] Permission non 
accordée: '/etc/libvirt/nwfilter/no-other-l2-traffic.xml'
/etc/libvirt/nwfilter/no-other-rarp-traffic.xml [Errno 13] Permission non 
accordée: '/etc/libvirt/nwfilter/no-other-rarp-traffic.xml'
/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml [Errno 13] Permission non 
accordée: '/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml'
/etc/libvirt/nwfilter/qemu-announce-self.xml [Errno 13] Permission non 
accordée: '/etc/libvirt/nwfilter/qemu-announce-self.xml'
/etc/libvirt/qemu.conf [Errno 13] Permission non accordée: 
'/etc/libvirt/qemu.conf'
/etc/libvirt/qemu/networks/default.xml [Errno 13] Permission non accordée: 
'/etc/libvirt/qemu/networks/default.xml'

-- debconf information:
  libvirt-daemon-system/id_warning: true

--- End Message ---

--- Begin Message ---

Version: libvirt/3.7.0-1

Hi,
On Thu, Sep 14, 2017 at 09:13:57AM +0200, Clément Hermann wrote:
> Package: libvirt-daemon-system
> Version: 3.6.0-1
> Severity: normal
> 
> Hi,
> 
> the virt-aa-helper apparmor profile shipped with libvirt-daemon-system
> prevents gnome-boxes to access .local, and so to boot new vm created
> from iso or imported.
> 
> type=AVC msg=audit(1505371989.794:47034): apparmor="DENIED"
> operation="open" profile="virt-aa-helper"
> name="/home/nodens/.local/share/gnome-boxes/images/boxes-unknown"
> pid=13982 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=1000
> 
> 
> I guess the profile should be updated to allow gnome-box to access it's
> own .local directory. However I'm not sure about the best way to do it:
> allowing access to .local/share/gnome-boxes when virt-aa-helper isn't
> launched by boxes seems wrong.

The issue here is that virt-aa-helper should not be run for
qemu:///session. If it runs privileged it virt-aa-helper will add the
path to the VMs profile.

We had some fixes in that area in 3.7.0 and I just tried a full debian
install + reboot with an up to date testing system + libvirt 3.7.0
(currently in NEW) and it worked as expected.

Cheers,
 -- Guido

--- End Message ---

Bug#875732: marked as done (libvirt-daemon-system: Create vm from iso in gnome-boxes fails: apparmor profile denies)

Reply via email to