Control: tag -1 + moreinfo
Hi Guido,
Guido Günther wrote (03 Jun 2016 11:53:39 GMT) :
> I've been trying to debug why libvirt fails to start qemu:///session
> domains. Suspecting apparmor into the mix I did:
> $ aa-complain /usr/sbin/libvirtd
> $ virsh -c qemu:///session start sqs
> error: Failed to start domain sqs
> error: Failed to connect socket to
> '/run/user/1000/libvirt/virtlogd-sock': Connection refused
> Howver if I do:
> $ aa-disable /usr/sbin/libvirtd
> $ virsh -c qemu:///session start sqs
> Domain sqs started
> I've attached the domain XML to reproduce. Libvirt is 1.3.5~rc1 from
> experimental but 1.3.4 shows this as well.
Thanks for sharing!
> As to my understanding complain mode shouldn't have any ill effects
> therefore I'm filing this as important.
I can't tell for sure until I've seen the corresponding logs, but
I *guess* that what's happening is: setting the usr.sbin.libvirtd
profile to "complain" affects that profile, and only that one; the
per-guest profiles libvirt generates are not affected. libvirtd is
still allowed to do that:
# allow changing to our UUID-based named profiles
change_profile ->
@{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
... if security_driver is configured to use AppArmor in
/etc/libvirt/qemu.conf.
And aa-disable does a very different thing: it full unloads the
profile from the kernel, and then somehow libvirtd must be denied the
change_profile operation, so the buggy auto-generated per-guest
profile is not switched to.
If my guess is right, then there's no bug in AppArmor itself (except
perhaps change_profile should pass through the complain flag to the
profile it switches to?).
To confirm this, we need:
* the kernel / auditd logs from AppArmor, when the profile is in
complain or enforce mode
* the generated profile (/etc/apparmor.d/libvirt/libvirt-${uuid}*)
Cheers,
--
intrigeri
