[Bug 453335] Re: apparmor complains about write access to a readonly file
Correction the bug number for the other bug is #1004606 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/453335 Title: apparmor complains about write access to a readonly file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/453335/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
I think this is actually causing a moderately serious regression with snapshots. If you look at the contents of an apparmor define for an example VM the deny that silences the error here also prevents snapshot commits from working and because the error is hidden makes this extra difficult to debug. "/var/log/libvirt/**/OpenWRT.log" w, "/var/lib/libvirt/**/OpenWRT.monitor" rw, "/var/run/libvirt/**/OpenWRT.pid" rwk, "/run/libvirt/**/OpenWRT.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.OpenWRT" rw, "/run/libvirt/**/*.tunnelmigrate.dest.OpenWRT" rw, "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4-zfs-1.qcow2" rw, "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4.img" r, # don't audit writes to readonly files deny "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4.img" w, /dev/vhost-net rw, "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4.img" rw, The bug number for the snapshot bug is #453335 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/453335 Title: apparmor complains about write access to a readonly file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/453335/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
This bug was fixed in the package libvirt - 0.7.0-1ubuntu13.1 --- libvirt (0.7.0-1ubuntu13.1) karmic-proposed; urgency=low * debian/patches/9093-lp460271.patch: require absolute path for dynamic added files (LP: #460271) * debian/patches/9094-lp453335.patch: suppress confusing and misleading apparmor denied message when kvm/qemu tries to open a libvirt specified readonly file (such as a cdrom) with write permissions. libvirt uses the readonly attribute for the security driver only, and has no way of telling kvm/qemu that the device should be opened readonly. (LP: #453335) * debian/apparmor/usr.sbin.libvirtd: allow 'inet dgram' for migration to work (LP: #461528) * debian/apparmor/usr.sbin.libvirtd: properly support qemu+tcp:// by allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000) -- Jamie StrandbogeMon, 09 Nov 2009 17:12:32 -0600 ** Changed in: libvirt (Ubuntu Karmic) Status: Fix Committed => Fix Released -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
This bug was fixed in the package linux - 2.6.31-15.50 --- linux (2.6.31-15.50) karmic-proposed; urgency=low [ Kees Cook ] * SAUCE: Fix nx_enable reporting - LP: #454285 linux (2.6.31-15.49) karmic-proposed; urgency=low [ Benjamin Herrenschmidt ] * [Upstream] (drop after 2.6.31) usb-storage: Workaround devices with bogus sense size - LP: #446146 [ John Johansen ] * SAUCE: AppArmor: AppArmor wrongly reports allow perms as denied - LP: #453335 * SAUCE: AppArmor: Policy load and replacement can fail to alloc mem - LP: #458299 * SAUCE: AppArmor: AppArmor fails to audit change_hat correctly - LP: #462824 * SAUCE: AppArmor: AppArmor disallows truncate of deleted files. - LP: #451375 [ Kees Cook ] * SAUCE: [x86] fix report of cs-limit nx-emulation - LP: #454285 [ Scott James Remnant ] * Revert "SAUCE: trace: add trace_event for the open() syscall" * SAUCE: trace: add trace events for open(), exec() and uselib() - LP: #462111 [ Stefan Bader ] * SAUCE: Fix sub-flavour script to not stop on missing directories - LP: #453073 [ Tim Gardner ] * [Upstream] (drop after 2.6.31) Input: synaptics - add another Protege M300 to rate blacklist - LP: #433801 [ Upstream Kernel Changes ] * PM: Make warning in suspend_test_finish() less likely to happen - LP: #464552 -- Stefan BaderTue, 10 Nov 2009 14:31:52 +0100 ** Changed in: linux (Ubuntu Karmic) Status: Fix Committed => Fix Released -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
Both the kernel and libvirt are ready to go to -updates, so I remove the v-failed reminder tag now. ** Tags removed: verification-failed -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
Thanks for the testing. I added a verification-failed tag purely to avoid me accidentally copying to -updates before the kernel. I'll revisit this when the kernel is in, then it can go to -updates. ** Tags added: verification-done ** Tags removed: verification-needed ** Tags added: verification-failed -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
** Branch linked: lp:ubuntu/linux-mvl-dove -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
** Branch linked: lp:ubuntu/linux-fsl-imx51 -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
With libvirt 0.7.0-1ubuntu13.1 and kernel 2.6.31-15.49-generic, I get the following in /etc/apparmor.d/libvirt/libvirt-.files: "/home/jamie/vms/isos/karmic/karmic-server-amd64.iso" r, # don't audit writes to readonly media deny "/home/jamie/vms/isos/karmic/karmic-server-amd64.iso" w, Starting the VM results in access to the iso without the confusing denial message. In other words, this bug is fixed with the libvirt and kernel packages in -proposed. Again, please do not copy libvirt to -updates before the kernel. Thanks! -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
** Changed in: libvirt (Ubuntu Karmic) Status: In Progress => Fix Committed ** Changed in: libvirt (Ubuntu Lucid) Milestone: karmic-updates => None ** Changed in: linux (Ubuntu Lucid) Milestone: karmic-updates => None ** Changed in: linux (Ubuntu Lucid) Status: In Progress => Fix Released -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
This bug was fixed in the package libvirt - 0.7.0-1ubuntu14 --- libvirt (0.7.0-1ubuntu14) lucid; urgency=low * debian/patches/9093-lp460271.patch: require absolute path for dynamic added files (LP: #460271) * debian/patches/9094-lp453335.patch: suppress confusing and misleading apparmor denied message when kvm/qemu tries to open a libvirt specified readonly file (such as a cdrom) with write permissions. libvirt uses the readonly attribute for the security driver only, and has no way of telling kvm/qemu that the device should be opened readonly. (LP: #453335) * debian/apparmor/usr.sbin.libvirtd: allow 'inet dgram' for migration to work (LP: #461528) * debian/apparmor/usr.sbin.libvirtd: properly support qemu+tcp:// by allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000) -- Jamie StrandbogeMon, 09 Nov 2009 17:11:05 -0600 ** Changed in: libvirt (Ubuntu Lucid) Status: In Progress => Fix Released -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
I should also mention that libvirt should *MUST* be moved to karmic- updates at the same time or after the kernel SRU for this bug, ie 2.6.31-15.49. -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
SRU (libvirt) Impact: confusing messages in kernel log. Told access to ISO is denied, but it is correctly allowed. Bug is addressed in Lucid adding a deny rule for the 'w' action, which silences the message while still enforcing readonly Patch is debian/patches/9094-lp453335.patch See comment #7 The regression potential is considered low. It passes the qa-regression- testing script. The added deny rule does nothing except silence a confusing denial message. -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
** Also affects: libvirt (Ubuntu Lucid) Importance: Medium Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: linux (Ubuntu Lucid) Importance: Medium Assignee: John Johansen (jjohansen) Status: In Progress -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
Accepted linux into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Tags added: verification-needed -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
** Changed in: linux (Ubuntu) Status: Triaged => In Progress ** Changed in: linux (Ubuntu Karmic) Status: Triaged => In Progress -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
The latest version works well too: http://kernel.ubuntu.com/~jj/linux-image-2.6.31-14-generic_2.6.31-14.49~jj_amd64.deb -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
This kernel allows me to have things like this in the profile and have it work as expected: "/home/jamie/vms/isos/karmic/karmic-server-amd64.iso" r, # don't audit writes to readonly media deny "/home/jamie/vms/isos/karmic/karmic-server-amd64.iso" w, Ie, jj's kernel fixes this for me. -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
I have placed a test kernel at http://kernel.ubuntu.com/~jj/linux-image-2.6.31-14-generic_2.6.31-14.48~jj_amd64.deb -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 453335] Re: apparmor complains about write access to a readonly file
** Tags added: apparmor -- apparmor complains about write access to a readonly file https://bugs.launchpad.net/bugs/453335 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs