Your message dated Wed, 06 Dec 2017 07:35:30 +0000 with message-id <[email protected]> and subject line Bug#882979: fixed in libvirt 3.10.0-1 has caused the Debian Bug report #882979, regarding AppArmor denies virt-aa-helper reading NSS files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 882979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882979 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libvirt-daemon-system Version: 3.9.0-1 Tags: patch Since recent package updates in testing, handling VMs now causes AppArmor violations about reading NSS related files: | audit: type=1400 audit(1511825664.488:26): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/nsswitch.conf" pid=805 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0' | audit: type=1400 audit(1511825664.494:27): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/host.conf" pid=805 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0' | audit: type=1400 audit(1511825664.494:28): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/resolv.conf" pid=805 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0' | audit: type=1400 audit(1511825664.494:30): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/hosts" pid=805 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0' This doesn't seem to happen with the most trivial machines, but is reproducible with this one that uses a real block device as disk: ---------- 8< --- /tmp/x.xml -------- <domain type='qemu' id='1'> <name>subVmTest1</name> <memory unit='KiB'>262144</memory> <os> <type arch='x86_64' machine='pc-i440fx-2.10'>hvm</type> <boot dev='network'/> </os> <devices> <disk type='block' device='disk'> <driver name='qemu' type='raw'/> <source dev='/dev/sda'/> <target dev='hda' bus='ide'/> <serial>ROOT</serial> <alias name='ide0-0-0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> </devices> </domain> ---------- 8< ----------------------- # virsh define /tmp/x.xml; virsh start subVmTest1 This causes the above AppArmor violations. The VMs actually seem to work fine, so this doesn't seem to be crucial. Adding #include <abstractions/nameservice> to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper works. If the helper should deliberately not use NSS, then its code needs to be changed of course, but allowing NSS seems harmless enough. Thanks, Martin
--- End Message ---
--- Begin Message ---Source: libvirt Source-Version: 3.10.0-1 We believe that the bug you reported is fixed in the latest version of libvirt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guido Günther <[email protected]> (supplier of updated libvirt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 05 Dec 2017 14:55:51 +0100 Source: libvirt Binary: libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-sheepdog libvirt-daemon-driver-storage-zfs libvirt-daemon-system libvirt0 libvirt-doc libvirt-dev libvirt-sanlock libnss-libvirt libvirt-wireshark Architecture: source Version: 3.10.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Libvirt Maintainers <[email protected]> Changed-By: Guido Günther <[email protected]> Description: libnss-libvirt - nss plugin providing IP add ress resolution for virtual machines libvirt-clients - Programs for the libvirt library libvirt-daemon - Virtualization daemon libvirt-daemon-driver-storage-gluster - Virtualization daemon glusterfs storage driver libvirt-daemon-driver-storage-rbd - Virtualization daemon RBD storage driver libvirt-daemon-driver-storage-sheepdog - Virtualization daemon Sheedog storage driver libvirt-daemon-driver-storage-zfs - Virtualization daemon ZFS storage driver libvirt-daemon-system - Libvirt daemon configuration files libvirt-dev - development files for the libvirt library libvirt-doc - documentation for the libvirt library libvirt-sanlock - Sanlock plugin for virtlockd libvirt-wireshark - Wireshark dissector for the libvirt protocol libvirt0 - library for interfacing with different virtualization systems Closes: 882979 883109 Changes: libvirt (3.10.0-1) unstable; urgency=medium . * [0d103b6] Bump standards version * [3eca017] Add russian debconf translation. Thanks to Lev Lamberov (Closes: #883109) * [04da2ca] New upstream version 3.10.0 * [f311e52] Drop AppArmor-add-rules-needed-with-additional-mediation-featu.patch - fixed upstream * [0c7f363] Bump symbol versions * [cbe1699] Use recent debhelper instead of dh-systemd * [c757791] apparmor: Allow virt-aa-helper to access the name service switch. Thanks to Martin Pitt (Closes: #882979) Checksums-Sha1: 3fa98e825f7125f772478f9303b4d6370e8c1683 4737 libvirt_3.10.0-1.dsc bdb540fe37abcce4dbc68c2c7b4e05e69ca0f144 14952220 libvirt_3.10.0.orig.tar.xz fd26ecb3b8f6c6bb723eaf518d5c01418c28928d 455 libvirt_3.10.0.orig.tar.xz.asc 4e3d7e54540dd4b9ac0289d7e1204b2ef3febc2a 67220 libvirt_3.10.0-1.debian.tar.xz c4053737e22dfde38db53f1c4afdadcfbdc5994b 19949 libvirt_3.10.0-1_amd64.buildinfo Checksums-Sha256: 683aa881d2cc1c306132dbbd9c4482a9772d111b3979f443e8bdd58f834805c2 4737 libvirt_3.10.0-1.dsc dff109cae2cc915b3ed5ba7e460502b85eb9a5058cda4f356d7bb7b1e3196b0e 14952220 libvirt_3.10.0.orig.tar.xz 96bb5a9e3d97d06b0df3597e6eccaa701ce103d37760dad430ba31d263f4113b 455 libvirt_3.10.0.orig.tar.xz.asc 11d687e0167e6229a0488c1dade9341cf5ef3a2dc4de9548d79eb6cc8dd1cca3 67220 libvirt_3.10.0-1.debian.tar.xz 79cbc2caaa7d01bc121883b25866cf83b0bc22dc596dc2a88dbd4fccca826cf1 19949 libvirt_3.10.0-1_amd64.buildinfo Files: 4ddc2323e683e3449e8fe1d0c2c7d566 4737 libs optional libvirt_3.10.0-1.dsc 62a78e6c1e71cd9acef8854b37beea59 14952220 libs optional libvirt_3.10.0.orig.tar.xz b6a9178741b917a0510f355c86c2dfa2 455 libs optional libvirt_3.10.0.orig.tar.xz.asc 4cd7c95f17b8e1cd98dc07df6b6b361b 67220 libs optional libvirt_3.10.0-1.debian.tar.xz 8e6719d50e6e962016dce5ea7301931f 19949 libs optional libvirt_3.10.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEvHzQcjh1660F3xzZB7i3sOqYEgsFAlomwUcACgkQB7i3sOqY Egs2Zg/+NOUaeu6IoLFIxDeHEsSY/H8OIqUXDtyhkSzNLMyqngpb1cY5yhwnmwRz UcaWl92R5HYKnks4vreB9FQrb5JhBoYIddbMPdo8Hf96qkqUEFa+tZ4z/4PetPZ3 6Y0iWUtXl/is+8tFhv//1hFLribKACRsoLB92h5HKDxrWweWWKKxv7Pq1uwDqZvf t7UwH+GWg1rx81SjaC0OuL2bZvaZvE1KHjTDsKzCSarr3OW82IX/2htDH83n7w0f b5RCM7uecnr01NcZDxc0E4eCvEeFycBOuhr0ETs4hmupYRpYbiNAS+sV1s7E+q4c C5380pqyWq0V0hDBnSUEbmDdRNDdzERpMh1gssGjj8kfhnZKL39kC8u6uRUFcFBf wI44x/gMbiQgd/Y1K+t7jSAzZE5v/Jwholg5vlB2qhg1rabVv/OZC7jUybtmMYQ7 +jOB7BkKZWwKRskUAkjTn2O3vOrA9DVXNehDfBRRXfoERceolCzw4/nHY/P7Faro xGNAOK7TaLmUeObOhIDAJtyKHKsSKAuWjPnhQ31MYpNsK0vk4At8v+D7Tcn97oyQ LijmPQPOgBvCbajz2uehYknpO80ZnGaJO96kYetIZ0HTGDmW353Zeo0Pfhn21Poj 5ekz/+8qIhOR/OmptBV4Nv4JO6QwVBEYE+uuqnhzLWTQ3uyeI+I= =7ubr -----END PGP SIGNATURE-----
--- End Message ---
