[Pkg-libvirt-maintainers] Bug#900611: Bug#900611: libvirt-daemon-system: deamon not start, problem in apparmor config
Guido Günther
agx at sigxcpu.org
Sat Jun 2 16:02:14 BST 2018
What's the bug you're seeing? What's in the logs (journal, dmesg,
syslog, libvirt's logs). Please provide proper information to reproduce.
-- Guido
On Sat, Jun 02, 2018 at 01:45:55AM +0300, rem_lex wrote:
> Package: libvirt-daemon-system
> Version: 3.0.0-4+deb9u3
> Severity: normal
>
> -- System Information:
> Debian Release: 9.4
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.15.17-2-pve (SMP w/2 CPU cores)
> Locale: LANG=ru_UA.UTF-8, LC_CTYPE=ru_UA.UTF-8 (charmap=UTF-8), LANGUAGE=ru_UA:ru (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages libvirt-daemon-system depends on:
> ii adduser 3.115
> ii debconf [debconf-2.0] 1.5.61
> ii gettext-base 0.19.8.1-2
> ii init-system-helpers 1.48
> ii iptables 1.6.0+snapshot20161117-6
> ii libapparmor1 2.11.0-3+deb9u2
> ii libaudit1 1:2.6.7-2
> ii libblkid1 2.29.2-1+deb9u1
> ii libc6 2.24-11+deb9u3
> ii libcap-ng0 0.7.7-3+b1
> ii libdbus-1-3 1.10.26-0+deb9u1
> ii libdevmapper1.02.1 2:1.02.137-pve6
> ii libnl-3-200 3.2.27-2
> ii libnl-route-3-200 3.2.27-2
> ii libnuma1 2.0.11-2.1
> ii librados2 10.2.5-7.2
> ii librbd1 10.2.5-7.2
> ii libselinux1 2.6-3+b3
> ii libvirt-clients 3.0.0-4+deb9u3
> ii libvirt-daemon 3.0.0-4+deb9u3
> ii libvirt0 3.0.0-4+deb9u3
> ii libxml2 2.9.4+dfsg1-2.2+deb9u2
> ii libyajl2 2.1.0-2+b3
> ii logrotate 3.11.0-0.1
> ii lsb-base 9.20161125
> ii policykit-1 0.105-18
>
> Versions of packages libvirt-daemon-system recommends:
> ii bridge-utils 1.5-13+deb9u1
> ii dmidecode 3.0-4
> ii dnsmasq-base 2.76-5+deb9u1
> ii ebtables 2.0.10.4-3.5+b1
> ii iproute2 4.13.0-3
> ii parted 3.2-17
>
> Versions of packages libvirt-daemon-system suggests:
> ii apparmor 2.11.0-3+deb9u2
> pn auditd <none>
> ii nfs-common 1:1.3.4-2.1
> ii pm-utils 1.4.1-17
> pn radvd <none>
> ii systemd 232-25+deb9u3
> pn systemtap <none>
> pn zfsutils <none>
>
> -- Configuration Files:
> /etc/apparmor.d/usr.sbin.libvirtd changed:
> @{LIBVIRT}="libvirt"
> /usr/sbin/libvirtd flags=(attach_disconnected) {
> #include <abstractions/base>
> #include <abstractions/dbus>
> capability kill,
> capability net_admin,
> capability net_raw,
> capability setgid,
> capability sys_admin,
> capability sys_module,
> capability sys_ptrace,
> capability sys_pacct,
> capability sys_nice,
> capability sys_chroot,
> capability setuid,
> capability dac_override,
> capability dac_read_search,
> capability fowner,
> capability chown,
> capability setpcap,
> capability mknod,
> capability fsetid,
> capability audit_write,
> capability ipc_lock,
> # Needed for vfio
> capability sys_resource,
> network inet stream,
> network inet dgram,
> network inet6 stream,
> network inet6 dgram,
> network packet dgram,
> network packet raw,
> network netlink raw,
> # Very lenient profile for libvirtd since we want to first focus on confining
> # the guests. Guests will have a very restricted profile.
> / r,
> /** rwmkl,
> /bin/* PUx,
> /sbin/* PUx,
> /usr/bin/* PUx,
> /usr/sbin/virtlogd pix,
> /usr/sbin/* PUx,
> /{usr/,}lib/udev/scsi_id PUx,
> /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
> /usr/{lib,lib64}/xen/bin/* Ux,
> # force the use of virt-aa-helper
> audit deny /{usr/,}sbin/apparmor_parser rwxl,
> audit deny /etc/apparmor.d/libvirt/** wxl,
> audit deny /sys/kernel/security/apparmor/features rwxl,
> audit deny /sys/kernel/security/apparmor/matching rwxl,
> audit deny /sys/kernel/security/apparmor/.* rwxl,
> /sys/kernel/security/apparmor/profiles r,
> /usr/{lib,lib64}/libvirt/* PUxr,
> /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
> /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
> /etc/libvirt/hooks/** rmix,
> /etc/xen/scripts/** rmix,
> # allow changing to our UUID-based named profiles
> change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
> /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
> # child profile for bridge helper process
> profile qemu_bridge_helper {
> #include <abstractions/base>
> capability setuid,
> capability setgid,
> capability setpcap,
> capability net_admin,
> network inet stream,
> /dev/net/tun rw,
> /etc/qemu/** r,
> owner @{PROC}/*/status r,
> /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
> }
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.sbin.libvirtd>
> }
>
> /etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-arp.xml'
> /etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-dhcp-server.xml'
> /etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-dhcp.xml'
> /etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-incoming-ipv4.xml'
> /etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/allow-ipv4.xml'
> /etc/libvirt/nwfilter/clean-traffic.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/clean-traffic.xml'
> /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml'
> /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml'
> /etc/libvirt/nwfilter/no-arp-spoofing.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/no-arp-spoofing.xml'
> /etc/libvirt/nwfilter/no-ip-multicast.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/no-ip-multicast.xml'
> /etc/libvirt/nwfilter/no-ip-spoofing.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/no-ip-spoofing.xml'
> /etc/libvirt/nwfilter/no-mac-broadcast.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/no-mac-broadcast.xml'
> /etc/libvirt/nwfilter/no-mac-spoofing.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/no-mac-spoofing.xml'
> /etc/libvirt/nwfilter/no-other-l2-traffic.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/no-other-l2-traffic.xml'
> /etc/libvirt/nwfilter/no-other-rarp-traffic.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/no-other-rarp-traffic.xml'
> /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml'
> /etc/libvirt/nwfilter/qemu-announce-self.xml [Errno 13] Отказано в доступе: '/etc/libvirt/nwfilter/qemu-announce-self.xml'
> /etc/libvirt/qemu.conf [Errno 13] Отказано в доступе: '/etc/libvirt/qemu.conf'
> /etc/libvirt/qemu/networks/default.xml [Errno 13] Отказано в доступе: '/etc/libvirt/qemu/networks/default.xml'
>
> -- debconf information:
> libvirt-daemon-system/id_warning: true
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
More information about the Pkg-libvirt-maintainers
mailing list