[Pkg-libvirt-maintainers] Bug#889150: libvirt-daemon-system: Please provide updated AppArmor profiles for stretch or stretch-backports

Hilko Bengen bengen at debian.org
Fri Feb 2 17:54:20 UTC 2018 

Package: libvirt-daemon-system
Version: 3.0.0-4+deb9u1
Severity: normal

Hi,

on a Debian/stretch system with a current kernel from stretch-backports,
I tried putting together a qemu/libvirtd/virt-manager setup and noticed
that libvirt was not able to properly shut down VMs that it had started.

The problem was observable in at least two ways:

(1) Triggering the "shut down" action from virt-manager leads to a
Windows VM showing the shutdown screen, the mouse cursor can no longer
be moved. Typing "list" in virsh tells me that the VM is in state "in
shutdown".

(2) Typing "destroy $NAME" in virsh produces an error message:
,----
| error: Failed to destroy domain $NAME
| error: Failed to terminate process $PID with SIGTERM: Permission denied
`----

Manually killing the qemu process and repeating the "destroy" command
leads to the desired result (state "shut off").

>From the audit log, it is clear that AppArmor (which is enabled by
default in the kernel from stretch-backports) prevents the delivery of
signals. I was able to fix the issue for myself by using
/etc/apparmor.d/* from a newer libvirt-daemon-system version (3.10.0-1).

Please consider doing at least one of the following:
- an update of the AppArmor profile through proposed-updates and the
  next point release
- an update of libvirt via stretch-backports.

I am willing to help with either solution.

Cheers,
-Hilko

-- System Information:
Debian Release: 9.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-0.bpo.3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvirt-daemon-system depends on:
ii  adduser                3.115
ii  debconf [debconf-2.0]  1.5.61
ii  gettext-base           0.19.8.1-2
ii  init-system-helpers    1.48
ii  iptables               1.6.0+snapshot20161117-6
ii  libapparmor1           2.11.0-3
ii  libaudit1              1:2.6.7-2
ii  libblkid1              2.29.2-1
ii  libc6                  2.24-11+deb9u1
ii  libcap-ng0             0.7.7-3+b1
ii  libdbus-1-3            1.10.24-0+deb9u1
ii  libdevmapper1.02.1     2:1.02.137-2
ii  libnl-3-200            3.2.27-2
ii  libnl-route-3-200      3.2.27-2
ii  libnuma1               2.0.11-2.1
ii  librados2              10.2.5-7.2
ii  librbd1                10.2.5-7.2
ii  libselinux1            2.6-3+b3
ii  libvirt-clients        3.0.0-4+deb9u1
ii  libvirt-daemon         3.0.0-4+deb9u1
ii  libvirt0               3.0.0-4+deb9u1
ii  libxml2                2.9.4+dfsg1-2.2+deb9u2
ii  libyajl2               2.1.0-2+b3
ii  logrotate              3.11.0-0.1
ii  lsb-base               9.20161125
ii  policykit-1            0.105-18

Versions of packages libvirt-daemon-system recommends:
ii  bridge-utils  1.5-13+deb9u1
ii  dmidecode     3.0-4
ii  dnsmasq-base  2.76-5+deb9u1
ii  ebtables      2.0.10.4-3.5+b1
ii  iproute2      4.9.0-1+deb9u1
ii  parted        3.2-17

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    2.11.0-3
ii  auditd      1:2.6.7-2
ii  nfs-common  1:1.3.4-2.1
ii  pm-utils    1.4.1-17
pn  radvd       <none>
ii  systemd     232-25+deb9u1
ii  systemtap   3.1-2
pn  zfsutils    <none>

More information about the Pkg-libvirt-maintainers mailing list