[pkg-apparmor] Bug#826218: Complain still interferes

intrigeri intrigeri at debian.org
Sat Jun 4 12:56:39 UTC 2016 

Hi Guido,

Guido Günther wrote (03 Jun 2016 13:29:05 GMT) :
> On Fri, Jun 03, 2016 at 02:51:12PM +0200, intrigeri wrote:
>> I can't tell for sure until I've seen the corresponding logs, but
>> I *guess* that what's happening is: setting the usr.sbin.libvirtd
>> profile to "complain" affects that profile, and only that one; the
>> per-guest profiles libvirt generates are not affected. libvirtd is
>> still allowed to do that:

> If that would be true wouldn't undefining then redifining the domain
> (therefore switching to a different UUID resolve the problem)? I have
> tried this before and it doesn't.

Well, when doing that, a new profile (corresponding to the new UUID)
will be generated when starting up the new domain, and presumably it
will prevent the domain's startup in just the same way as the previous
profile, no?

(Still, I was mostly guessing there, and I am totally ready to accept
I was guessing wrong :)

> Note also that the problem is with starting virtlogd (which is spawned
> from libvirtd, not the VM). The issues manifests as virtlogd parsing
> incorrect stuff from the environment[1].

Now that's interesting! The logs I'm requesting below should help me
understand better what's happening:

>> To confirm this, we need:
>> 
>>  * the kernel / auditd logs from AppArmor, when the profile is in
>>    complain or enforce mode

[... snipping logs about the parser load/etc. operations ...]

Let me be more specific: I would like to see the log about what
AppArmor blocks (the corresponding log entries should contain the
"DENIED" string).

>>  * the generated profile (/etc/apparmor.d/libvirt/libvirt-${uuid}*)

> As far as can tell there are no new files generaed with the uuid of the
> sqs domain.

Hmmm, OK. Here I have to admit that I have no clue how libvirt handles
AppArmor with qemu:///session; I've never tried it myself, and I don't
even know if it's supposed to be supported. Can you reproduce this
problem with qemu:///system?

I guess that at some point I should simply try and run your
autopkgtest myself to investigate, but first if you don't mind I'd
like a little bit more input from you, until we can be certain whether
it's a bug in AppArmor or in libvirt's AppArmor integration.
Fair enough?

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list